dissect.target.plugins.os.unix.linux.proc#

Module Contents#

Classes#

NetSocket

UnixSocket

PacketSocket

Environ

ProcessStateEnum

Sortable and serializible string-based enum

Sockets

ProcProcess

ProcPlugin

Base class for plugins.

Functions#

parse_ip

Convert /proc/net IPv4 or IPv6 hex address into their standard IP notation.

Attributes#

PROC_STAT_NAMES

dissect.target.plugins.os.unix.linux.proc.parse_ip(addr: str | int, version: int = 4) ipaddress.IPv6Address | ipaddress.IPv4Address#

Convert /proc/net IPv4 or IPv6 hex address into their standard IP notation.

class dissect.target.plugins.os.unix.linux.proc.NetSocket#
sl: str#
local_address: str#
rem_address: str#
state: str#
tx_rx_queue: str#
tr_tm_when: str#
restansmit: str#
uid: int#
timeout: str#
inode: int#
ref: str | None#
pointer: str | None#
drops: str | None#
predicted_tick: str | None#
ack_pingpong: str | None#
congestion_window: str | None#
size_threshold: str | None#
protocol_string: str | None#
local_ip: str | None#
local_port: int | None#
remote_ip: str | None#
remote_port: int | None#
state_string: str | None#
owner: str | None#
rx_queue: int | None#
tx_queue: int | None#
pid: int | None#
name: str | None#
cmdline: str | None#
classmethod from_line(line: str, ip_vers: int = 4) NetSocket#
class dissect.target.plugins.os.unix.linux.proc.UnixSocket#
num: str#
ref: int#
protocol: int#
flags: str#
type: int#
state: int#
inode: int#
path: str | None#
state_string: str | None#
stream_type_string: str | None#
protocol_string: str = 'unix'#
classmethod from_line(line: str) UnixSocket#
class dissect.target.plugins.os.unix.linux.proc.PacketSocket#
sk: int#
ref: int#
type: int#
protocol: int#
iface: int#
r: int#
rmem: int#
user: int#
inode: int#
pid: int | None#
name: str | None#
cmdline: str | None#
protocol_type: int | None#
owner: str | None#
protocol_string: str = 'packet'#
classmethod from_line(line: str) PacketSocket#
class dissect.target.plugins.os.unix.linux.proc.Environ#
variable: str#
contents: str#
class dissect.target.plugins.os.unix.linux.proc.ProcessStateEnum#

Bases: dissect.target.helpers.utils.StrEnum

Sortable and serializible string-based enum

R = 'Running'#
I = 'Idle'#
S = 'Sleeping'#
D = 'Waiting'#
Z = 'Zombie'#
T = 'Stopped'#
t = 'Tracing'#
X = 'Dead'#
x = 'Dead'#
K = 'Wakekill'#
W = 'Waking'#
P = 'Parked'#
N = 'None'#
dissect.target.plugins.os.unix.linux.proc.PROC_STAT_NAMES = ['pid', 'comm', 'state', 'ppid', 'pgrp', 'session', 'tty_nr', 'tpgid', 'flags', 'minflt',...#
class dissect.target.plugins.os.unix.linux.proc.Sockets(target: dissect.target.target.Target)#
class PacketProtocolTypes#

Bases: enum.IntEnum

Enum where members are also (and must be) ints

ETH_P_802_3 = 1#
ETH_P_AX25 = 2#
ETH_P_ALL = 3#
ETH_P_802_2 = 4#
ETH_P_SNAP = 5#
ETH_P_DDCMP = 6#
ETH_P_WAN_PPP = 7#
ETH_P_PPP_MP = 8#
ETH_P_LOCALTALK = 9#
ETH_P_CAN = 12#
ETH_P_PPPTALK = 16#
ETH_P_TR_802_2 = 17#
ETH_P_MOBITEX = 21#
ETH_P_CONTROL = 22#
ETH_P_IRDA = 23#
ETH_P_ECONET = 24#
ETH_P_HDLC = 25#
ETH_P_ARCNET = 26#
ETH_P_DSA = 27#
ETH_P_TRAILER = 28#
ETH_P_PHONET = 245#
ETH_P_IEEE802154 = 246#
class SocketStreamType#

Bases: enum.IntEnum

Enum where members are also (and must be) ints

STREAM = 1#
DGRAM = 2#
SEQPACKET = 5#
class SocketStateType#

Bases: enum.IntEnum

Enum where members are also (and must be) ints

LISTENING = 1#
CONNECTED = 3#
class TCPStates#

Bases: enum.IntEnum

Enum where members are also (and must be) ints

DUMMY = 0#
ESTABLISHED = 1#
SYN_SENT = 2#
SYN_RECV = 3#
FIN_WAIT1 = 4#
FIN_WAIT2 = 5#
TIME_WAIT = 6#
CLOSE = 7#
CLOSE_WAIT = 8#
LAST_ACK = 9#
LISTEN = 10#
CLOSING = 11#
NEW_SYN_RECV = 12#
MAX_STATES = 13#
class UDPStates#

Bases: enum.IntEnum

Enum where members are also (and must be) ints

DUMMY = 0#
ESTABLISHED = 1#
LISTEN = 7#
packet() Iterator[PacketSocket]#

Yield parsed /proc/net/packet entries.

raw() Iterator[NetSocket]#

Yield parsed /proc/net/raw entries.

raw6() Iterator[NetSocket]#

Yield parsed /proc/net/raw6 entries.

tcp6() Iterator[NetSocket]#

Yield parsed /proc/net/tcp6 entries.

tcp() Iterator[NetSocket]#

Yield parsed /proc/net/tcp entries.

udp() Iterator[NetSocket]#

Yield parsed /proc/net/upd entries.

udp6() Iterator[NetSocket]#

Yield parsed /proc/net/udp6 entries.

unix() Iterator[UnixSocket]#

Yield parsed /proc/net/unix entries.

class dissect.target.plugins.os.unix.linux.proc.ProcProcess(target: dissect.target.target.Target, pid: int | str, proc_root: str = '/proc')#
property owner: str#

Return the username or the user ID (uid) (if owner is not found) of the owner of this process.

property uid: int#

Return the user ID (uid) of the owner of this process.

property pid: int#

Returns the process ID (pid) associated to this process.

property parent: ProcProcess | None#

Returns the parent ProcProcess of this process.

property ppid: int | None#

Returns the parent process ID (ppid) associated to this process.

property parent_name: str | None#

Returns the name associated to the parent process ID (ppid) of this process.

property state: str#

Returns the state of the process (S’leeping, R’unning, I’dle, etc).

property starttime: datetime.datetime#

Returns the start time of the process.

property runtime: datetime.timedelta#

Returns the runtime of a process until the moment of acquisition.

property now: datetime.datetime#

Returns the now() timestamp of the system at the moment of acquisition.

property uptime: datetime.timedelta#

Returns the uptime of the system from the moment it was acquired.

property cmdline: str#

Return the command line of a process.

get(path: str) pathlib.Path#

Returns a TargetPath relative to this process.

environ() Iterator[Environ]#

Yields the content of the environ file associated with the process.

stat() dissect.target.filesystem.fsutil.stat_result#

Return a stat entry of the process.

class dissect.target.plugins.os.unix.linux.proc.ProcPlugin(target: dissect.target.target.Target)#

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

  • __namespace__

  • __record_descriptors__

With the following three being assigned in register():

  • __plugin__

  • __functions__

  • __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

  • __exported__

  • __output__: Set with the export() decorator.

  • __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

__namespace__ = 'proc'#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

inode_map() dict[int, list[ProcProcess]]#

Creates a inode to pid mapping for all process IDs in /proc/[pid].

iter_proc() Iterator[pathlib.Path]#

Yields /proc/[pid] filesystems entries for every process id (pid) found in procfs.

inode_to_pids(inode: int) list[ProcProcess]#
process(pid: int | str) ProcProcess#
processes() Iterator[ProcProcess]#