1. windows wmi监控进程启动
from threading import Thread from commone_windows import * import threading import Queue import time import pythoncom import os import datetime import hashlib from peewee import * import oss2 import gc import win32api import wmi DEBUG = True process_start_event_list = Queue.Queue(maxsize=9999) procs = {} # cache the md5 calculation process_path_hash_cache_dict = {} # cache the target's process startup event process_target_event_cache_dict = Queue.Queue(maxsize=9999) ############################################################ wmi monitor ############################################################ ############################################################ wmi monitor ############################################################ ############################################################ wmi monitor ############################################################ def recordProcessCreationEvent(new_process, ParentProcessName): global process_start_event_list cmdlline = new_process.CommandLine processId = new_process.ProcessId name = new_process.Name Caption = new_process.Caption ExecutablePath = new_process.ExecutablePath SessionId = new_process.SessionId processOwner = new_process.GetOwner() if processOwner: processOwner_username = processOwner[0] processOwner_domainname = processOwner[2] processOwnerSid = new_process.GetOwnerSid() ParentProcessId = new_process.ParentProcessId process_start_event_list.put(dict( cmdlline=cmdlline, processId=processId, name=name, Caption=Caption, ExecutablePath=ExecutablePath, SessionId=SessionId, processOwner_username=processOwner_username, processOwner_domainname=processOwner_domainname, processOwnerSid=processOwnerSid, ParentProcessId=ParentProcessId, ParentProcessName=ParentProcessName )) class processCreationMonitor(Thread): def __init__(self): Thread.__init__(self) def run(self): if DEBUG: print "processCreationMonitor run" pythoncom.CoInitialize() c = wmi.WMI() process_creation_watcher = c.watch_for( notification_type="Creation", wmi_class="Win32_Process", delay_secs=1 ) while 1: ParentProcessName = '' try: new_process = process_creation_watcher() if new_process.ParentProcessId in procs: #proc = procs[new_process.ParentProcessId] ParentProcessName = procs[new_process.ParentProcessId] procs[new_process.ProcessId] = new_process.Name # record the process info recordProcessCreationEvent(new_process, ParentProcessName) except Exception, e: pass time.sleep(0.1) class processDeletionMonitor(Thread): def __init__(self): Thread.__init__(self) def run(self): pythoncom.CoInitialize() c = wmi.WMI() process_deletion_watcher = c.watch_for( notification_type="Deletion", wmi_class="Win32_Process", delay_secs=1 ) while 1: p1 = process_deletion_watcher() try: del procs[p1.ProcessId] except: pass time.sleep(0.1) def regProcess(): c = wmi.WMI() for p in c.Win32_Process(): procs[p.ProcessId] = p.Name def process_monitor(): # get process list regProcess() if DEBUG: print "regProcess ok: ", procs if DEBUG: print 'process_monitor' # start a new thread to monitor the event of processCreate procCreMon = processCreationMonitor() procCreMon.start() # start a new thread to monitor the event of processTerminal(in order to delete/update the current process dict list) procDelMon = processDeletionMonitor() procDelMon.start() ############################################################ wmi monitor ############################################################ ############################################################ wmi monitor ############################################################ ############################################################ wmi monitor ############################################################ ############################################################ target process event write into the oss ############################################################ ############################################################ target process event write into the oss ############################################################ ############################################################ target process event write into the oss ############################################################ def upload_event_to_oss(event): result = '|*|'.join([ event['cmdlline'], str(event['processId']), event['name'], event['Caption'], event['ExecutablePath'], str(event['SessionId']), event['processOwner_username'], event['processOwner_domainname'], str(event['processOwnerSid']), str(event['ParentProcessId']), event['ParentProcessName'], event['filehash'] ]) print result def target_process_event_write_oss_func(): global process_target_event_cache_dict while True: if not process_target_event_cache_dict.empty(): event = process_target_event_cache_dict.get(1, 5) if event: upload_event_to_oss(event) time.sleep(0.1) ############################################################ target process event write into the oss ############################################################ ############################################################ target process event write into the oss ############################################################ ############################################################ target process event write into the oss ############################################################ def getProcessFileHash(ExecutablePath): global process_path_hash_cache_dict filehash = '' # cache the ExecutablePath's filehash to speed the time filepath_hash = getStringHashsum(ExecutablePath) if filepath_hash not in process_path_hash_cache_dict.keys(): # not exist this filepath_hash, add it filehash = getFileHashsum(ExecutablePath) process_path_hash_cache_dict[filepath_hash] = filehash else: filehash = process_path_hash_cache_dict[filepath_hash] return filehash ######################################### process event handle thread, filter the target process's startup event ######################################### ######################################### process event handle thread, filter the target process's startup event ######################################### ######################################### process event handle thread, filter the target process's startup event ######################################### def process_event_handle(): process_event_handler = Thread(target=process_event_handle_func) process_event_handler.start() def process_event_handle_func(): global process_start_event_list while True: if not process_start_event_list.empty(): event = process_start_event_list.get(1, 5) if event: filter_target_process(event) time.sleep(0.05) def filter_target_process(event): global process_target_event_cache_dict if not event['ExecutablePath']: return ExecutablePath = event['ExecutablePath'].encode('utf-8') gmt_create, gmt_modified = '', '' try: gmt_create = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(os.stat(ExecutablePath).st_ctime)) gmt_modified = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(os.stat(ExecutablePath).st_mtime)) except Exception, e: pass # if get the file's time info faild, means that is a system core file if gmt_create and gmt_modified: filehash = getProcessFileHash(ExecutablePath) event['filehash'] = filehash process_target_event_cache_dict.put(event) ######################################### process event handle thread, filter the target process's startup event ######################################### ######################################### process event handle thread, filter the target process's startup event ######################################### ######################################### process event handle thread, filter the target process's startup event ######################################### if __name__ == '__main__': # wmi process creation/deleetion event monitor thread process_monitor() # process event handle thread, filter the target process's startup event process_event_handle() # target process event write into the oss target_process_event_write_oss_handler = Thread(target=target_process_event_write_oss_func) target_process_event_write_oss_handler.start()
Relevant Link:
http://9806708.blog.51cto.com/9796708/1682200 http://timgolden.me.uk/python/wmi/tutorial.html http://blog.sina.com.cn/s/blog_62c02a630100p0lm.html
2. linux netlink监控进程启动
Linux kernels since 2.6.15 contains a userspace <-> kernelspace connector built on netlink sockets.
This can be used by the kernel to broadcast internal information to userspace, like process events in our case. This exposes a possibility to know in near-realtime when a process starts, dies, forks, etc.
to do so, we need creates a netlink socket and tells the kernel to start broadcasting process events. Either you use this socket manually, or use the simple supplied callback loop.
0x1: 获取进程相关信息
linux的进程启动分为fork和exec两步过程,在fork的时候可以拿到父子进程的信息,但是这个时候子进程的相关信息(例如cmdline还没生成),等到exec的时候就可以拿到完整信息了
# -*- coding: utf-8 -*- from commone import * import socket import os import struct import errno from select import select ##################################################################### utils ##################################################################### class BaseStruct(object): fields = () def _fill_struct(self, data): for k,v in zip(self.fields, data): setattr(self, k, v) class DictWrapper(dict): def __getattr__(self, attr): return self[attr] ##################################################################### utils ##################################################################### ##################################################################### netlink ##################################################################### NETLINK_CONNECTOR = 11 NLMSG_NOOP = 0x1 # Nothing NLMSG_ERROR = 0x2 # Error NLMSG_DONE = 0x3 # End of a dump NLMSG_OVERRUN = 0x4 # Data lost # struct nlmsghdr # { # __u32 nlmsg_len; /* Length of message including header */ # __u16 nlmsg_type; /* Message content */ # __u16 nlmsg_flags; /* Additional flags */ # __u32 nlmsg_seq; /* Sequence number */ # __u32 nlmsg_pid; /* Sending process port ID */ # }; nlmsghdr = struct.Struct("=I2H2I") def netlink_pack(_type, flags, msg): """ Put a netlink header on a message. The msg parameter is assumed to be a pre-struct-packed data block. We don't care about seq for now. """ _len = len(msg) + nlmsghdr.size seq = 0 return nlmsghdr.pack(_len, _type, flags, seq, os.getpid()) + msg def unpack_hdr(data): return DictWrapper( zip(("len", "type", "flags", "seq", "pid"), nlmsghdr.unpack(data[:nlmsghdr.size]))) ##################################################################### netlink ##################################################################### ##################################################################### connector ##################################################################### CN_IDX_PROC = 0x1 CN_VAL_PROC = 0x1 # struct cb_id { # __u32 idx; # __u32 val; # }; # struct cn_msg { # struct cb_id id; # __u32 seq; # __u32 ack; # __u16 len; /* Length of the following data */ # __u16 flags; # __u8 data[0]; # }; # The data member is left out of this declaration since it may be of # varying length. This means that unpacking of a complete message will # have to be incremental and done solely by the decoder of the # innermost data (in my case pec_decode() in pec.py). cn_msg = struct.Struct("=4I2H") def pack_msg(cb_idx, cb_val, flags, data): """ Pack a cn_msg struct with the passed in data. The data parameter is assumed to be a pre-struct-packed data block. We don't care about seq or ack for now. """ seq = ack = 0 _len = len(data) return cn_msg.pack(cb_idx, cb_val, seq, ack, _len, flags) + data def unpack_msg(data): """ Peel off netlink header and extract the message (including payload) from data. This will return a DictWrapper object. """ data = data[:cn_msg.size] # Slice off trailing data return DictWrapper( zip(("cb_idx", "cb_val", "seq", "ack", "len", "flags"), cn_msg.unpack(data))) ##################################################################### connector ##################################################################### ##################################################################### pec ##################################################################### PROC_CN_MCAST_LISTEN = 0x1 PROC_CN_MCAST_IGNORE = 0x2 PROC_EVENT_NONE = 0x00000000 PROC_EVENT_FORK = 0x00000001 PROC_EVENT_EXEC = 0x00000002 PROC_EVENT_UID = 0x00000004 PROC_EVENT_GID = 0x00000040 PROC_EVENT_SID = 0x00000080 PROC_EVENT_PTRACE = 0x00000100 PROC_EVENT_COMM = 0x00000200 PROC_EVENT_EXIT = 0x80000000 process_events = {"PROC_EVENT_NONE": PROC_EVENT_NONE, "PROC_EVENT_FORK": PROC_EVENT_FORK, "PROC_EVENT_EXEC": PROC_EVENT_EXEC, "PROC_EVENT_UID": PROC_EVENT_UID, "PROC_EVENT_GID": PROC_EVENT_GID, "PROC_EVENT_SID": PROC_EVENT_SID, "PROC_EVENT_PTRACE": PROC_EVENT_PTRACE, "PROC_EVENT_COMM": PROC_EVENT_COMM, "PROC_EVENT_EXIT": PROC_EVENT_EXIT} process_events_rev = dict(zip(process_events.values(), process_events.keys())) base_proc_event = struct.Struct("=2IL") event_struct_map = {PROC_EVENT_NONE: struct.Struct("=I"), PROC_EVENT_FORK: struct.Struct("=4I"), PROC_EVENT_EXEC: struct.Struct("=2I"), PROC_EVENT_UID: struct.Struct("=4I"), PROC_EVENT_GID: struct.Struct("=4I"), PROC_EVENT_SID: struct.Struct("=2I"), PROC_EVENT_PTRACE: struct.Struct("=4I"), PROC_EVENT_COMM: struct.Struct("=2I16s"), PROC_EVENT_EXIT: struct.Struct("=4I")} process_list = [] def pec_bind(s): """ Bind a socket to the Process Event Connector. This will pass on any socket.error exception raised. The most common one will be EPERM since you need root privileges to bind to the connector. """ s.bind((os.getpid(), CN_IDX_PROC)) def pec_control(s, listen=False): """ Notify PEC if we want event notifications on this socket or not. """ pec_ctrl_data = struct.Struct("=I") if listen: action = PROC_CN_MCAST_LISTEN else: action = PROC_CN_MCAST_IGNORE nl_msg = netlink_pack( NLMSG_DONE, 0, pack_msg( CN_IDX_PROC, CN_VAL_PROC, 0, pec_ctrl_data.pack(action))) s.send(nl_msg) def pec_unpack(data): """ Peel off the wrapping layers from the data. This will return a DictWrapper object. """ nl_hdr = unpack_hdr(data) if nl_hdr.type != NLMSG_DONE: # Ignore all other types of messages return # Slice off header data and trailing data (if any) data = data[nlmsghdr.size:nl_hdr.len] #msg = connector.unpack_msg(data) # .. and away goes the connector_message, leaving just the payload data = data[cn_msg.size:] event = list(base_proc_event.unpack(data[:base_proc_event.size])) ev_data_struct = event_struct_map.get(event[0]) event_data = ev_data_struct.unpack( data[base_proc_event.size:base_proc_event.size+ev_data_struct.size]) fields = ["what", "cpu", "timestamp_ns"] if event[0] == PROC_EVENT_NONE: fields.append("err") event[1] = -1 elif event[0] == PROC_EVENT_FORK: fields += ["parent_pid", "parent_tgid", "child_pid", "child_tgid"] elif event[0] == PROC_EVENT_EXEC: fields += ["process_pid", "process_tgid"] elif event[0] == PROC_EVENT_UID: fields += ["process_pid", "process_tgid", "ruid", "rgid"] elif event[0] == PROC_EVENT_GID: fields += ["process_pid", "process_tgid", "euid", "egid"] elif event[0] == PROC_EVENT_SID: fields += ["process_pid", "process_tgid"] elif event[0] == PROC_EVENT_PTRACE: fields += ["process_pid", "process_tgid", "tracer_pid", "tracer_tgid"] elif event[0] == PROC_EVENT_COMM: fields += ["process_pid", "process_tgid", "comm"] elif event[0] == PROC_EVENT_EXIT: fields += ["process_pid", "process_tgid", "exit_code", "exit_signal"] return DictWrapper(zip(fields, tuple(event) + event_data)) def register_process(pid=None, process_name=None, events=(), action=None): """ Register a callback for processes of a specific name or by pid. pec_loop() will call this callback for any processes matching. If no events is specified, all events related to that pid will call the callback. The action can be any callable. One argument will be passed to the callable, the PEC message, as returned by pec_unpack(). """ for x in events: if x not in process_events: raise Exception("No such process event: 0x%08x" % (int(x),)) process_list.append({'pid': pid, 'process_name': process_name, 'events': events}) def pec_loop(plist=process_list): s = socket.socket(socket.AF_NETLINK, socket.SOCK_DGRAM, NETLINK_CONNECTOR) # Netlink sockets are connected with pid and message group mask, # message groups are for multicast protocols (like our process event # connector). try: pec_bind(s) except socket.error, (_errno, errmsg): if _errno == errno.EPERM: raise Exception("You don't have permission to bind to the " "process event connector. Try sudo.") pec_control(s, listen=True) while True: (readable, w, e) = select([s],[],[]) buf = readable[0].recv(256) event = pec_unpack(buf) event["what"] = process_events_rev.get(event.what) print event ##################################################################### pec ##################################################################### procInfo = {} def filter_target_event(event): pid_info, ppid_info = dict(), dict() if event["what"] == 'PROC_EVENT_FORK': pid = event["child_tgid"] ppid = event["parent_tgid"] procInfo[pid] = ppid elif event["what"] == 'PROC_EVENT_EXEC': pid = event["process_tgid"] if pid in procInfo.keys(): ppid = procInfo[pid] pid_info = get_target_processinfo_byid(pid) if ppid: ppid_info = get_target_processinfo_byid(ppid) elif event["what"] == 'PROC_EVENT_EXIT': pid = event["process_tgid"] if pid in procInfo.keys(): del procInfo[pid] if pid_info and ppid_info: filehash = getFileHashsum(pid_info['pexe']) print dict( cmdlline=pid_info['pcmdline'], processId=pid_info['pid'], name=pid_info['pname'], Caption=pid_info['pexe'], ExecutablePath=pid_info['pcmdline'], SessionId=0, processOwner_username=pid_info['puid_name'], processOwner_domainname=pid_info['pgid_name'], processOwnerSid=pid_info['puid'], ParentProcessId=ppid_info['pid'], ParentProcessName=ppid_info['pname'], ParentProcessCmdline=ppid_info['pcmdline'], filehash=filehash ) def start(): # Create Netlink socket s = socket.socket(socket.AF_NETLINK, socket.SOCK_DGRAM, NETLINK_CONNECTOR) # Netlink sockets are connected with pid and message group mask, # message groups are for multicast protocols (like our process event # connector). try: s.bind((os.getpid(), CN_IDX_PROC)) except socket.error as (_errno, errmsg): if _errno == errno.EPERM: print ("You don't have permission to bind to the " "process event connector. Try sudo.") raise SystemExit(1) raise pec_control(s, listen=True) while True: (readable, w, e) = select([s], [], []) buf = readable[0].recv(256) event = pec_unpack(buf) event["what"] = process_events_rev.get(event.what) filter_target_event(event) s.close() if __name__ == "__main__": start()
0x2:C++版本监控进程启动代码
#include <sys/socket.h> #include <linux/netlink.h> #include <linux/connector.h> #include <linux/cn_proc.h> #include <signal.h> #include <errno.h> #include <stdbool.h> #include <unistd.h> #include <string.h> #include <stdlib.h> #include <stdio.h> /* * connect to netlink * returns netlink socket, or -1 on error */ static int nl_connect() { int rc; int nl_sock; struct sockaddr_nl sa_nl; nl_sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR); if (nl_sock == -1) { perror("socket"); return -1; } sa_nl.nl_family = AF_NETLINK; sa_nl.nl_groups = CN_IDX_PROC; sa_nl.nl_pid = getpid(); rc = bind(nl_sock, (struct sockaddr *)&sa_nl, sizeof(sa_nl)); if (rc == -1) { perror("bind"); close(nl_sock); return -1; } return nl_sock; } /* * subscribe on proc events (process notifications) */ static int set_proc_ev_listen(int nl_sock, bool enable) { int rc; struct __attribute__ ((aligned(NLMSG_ALIGNTO))) { struct nlmsghdr nl_hdr; struct __attribute__ ((__packed__)) { struct cn_msg cn_msg; enum proc_cn_mcast_op cn_mcast; }; } nlcn_msg; memset(&nlcn_msg, 0, sizeof(nlcn_msg)); nlcn_msg.nl_hdr.nlmsg_len = sizeof(nlcn_msg); nlcn_msg.nl_hdr.nlmsg_pid = getpid(); nlcn_msg.nl_hdr.nlmsg_type = NLMSG_DONE; nlcn_msg.cn_msg.id.idx = CN_IDX_PROC; nlcn_msg.cn_msg.id.val = CN_VAL_PROC; nlcn_msg.cn_msg.len = sizeof(enum proc_cn_mcast_op); nlcn_msg.cn_mcast = enable ? PROC_CN_MCAST_LISTEN : PROC_CN_MCAST_IGNORE; rc = send(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0); if (rc == -1) { perror("netlink send"); return -1; } return 0; } /* * handle a single process event */ static volatile bool need_exit = false; static int handle_proc_ev(int nl_sock) { int rc; struct __attribute__ ((aligned(NLMSG_ALIGNTO))) { struct nlmsghdr nl_hdr; struct __attribute__ ((__packed__)) { struct cn_msg cn_msg; struct proc_event proc_ev; }; } nlcn_msg; while (!need_exit) { rc = recv(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0); if (rc == 0) { /* shutdown? */ return 0; } else if (rc == -1) { if (errno == EINTR) continue; perror("netlink recv"); return -1; } switch (nlcn_msg.proc_ev.what) { case PROC_EVENT_NONE: printf("set mcast listen ok "); break; case PROC_EVENT_FORK: printf("fork: parent tid=%d pid=%d -> child tid=%d pid=%d ", nlcn_msg.proc_ev.event_data.fork.parent_pid, nlcn_msg.proc_ev.event_data.fork.parent_tgid, nlcn_msg.proc_ev.event_data.fork.child_pid, nlcn_msg.proc_ev.event_data.fork.child_tgid); break; case PROC_EVENT_EXEC: printf("exec: tid=%d pid=%d ", nlcn_msg.proc_ev.event_data.exec.process_pid, nlcn_msg.proc_ev.event_data.exec.process_tgid); break; case PROC_EVENT_UID: printf("uid change: tid=%d pid=%d from %d to %d ", nlcn_msg.proc_ev.event_data.id.process_pid, nlcn_msg.proc_ev.event_data.id.process_tgid, nlcn_msg.proc_ev.event_data.id.r.ruid, nlcn_msg.proc_ev.event_data.id.e.euid); break; case PROC_EVENT_GID: printf("gid change: tid=%d pid=%d from %d to %d ", nlcn_msg.proc_ev.event_data.id.process_pid, nlcn_msg.proc_ev.event_data.id.process_tgid, nlcn_msg.proc_ev.event_data.id.r.rgid, nlcn_msg.proc_ev.event_data.id.e.egid); break; case PROC_EVENT_EXIT: printf("exit: tid=%d pid=%d exit_code=%d ", nlcn_msg.proc_ev.event_data.exit.process_pid, nlcn_msg.proc_ev.event_data.exit.process_tgid, nlcn_msg.proc_ev.event_data.exit.exit_code); break; default: printf("unhandled proc event "); break; } } return 0; } static void on_sigint(int unused) { need_exit = true; } int main(int argc, const char *argv[]) { int nl_sock; int rc = EXIT_SUCCESS; signal(SIGINT, &on_sigint); siginterrupt(SIGINT, true); nl_sock = nl_connect(); if (nl_sock == -1) exit(EXIT_FAILURE); rc = set_proc_ev_listen(nl_sock, true); if (rc == -1) { rc = EXIT_FAILURE; goto out; } rc = handle_proc_ev(nl_sock); if (rc == -1) { rc = EXIT_FAILURE; goto out; } set_proc_ev_listen(nl_sock, false); out: close(nl_sock); exit(rc); }
Relevant Link:
https://github.com/dbrandt/proc_events https://gist.github.com/drdaeman/1488608 http://stackoverflow.com/questions/6075013/detect-launching-of-programs-on-linux-platform https://outflux.net/blog/archives/2010/07/01/reporting-all-execs/