dissect.target.plugins.os.unix.linux.proc

Module Contents

Classes

NetSocket
UnixSocket
PacketSocket
Environ
ProcessStateEnum	Sortable and serializible string-based enum
Sockets
ProcProcess
ProcPlugin	Base class for plugins.

Functions

parse_ip

Convert /proc/net IPv4 or IPv6 hex address into their standard IP notation.

Attributes

PROC_STAT_NAMES

dissect.target.plugins.os.unix.linux.proc.parse_ip(addr: str | int, version: int = 4) → ipaddress.IPv6Address | ipaddress.IPv4Address

Convert /proc/net IPv4 or IPv6 hex address into their standard IP notation.

class dissect.target.plugins.os.unix.linux.proc.NetSocket

sl: str

local_address: str

rem_address: str

state: str

tx_rx_queue: str

tr_tm_when: str

restansmit: str

uid: int

timeout: str

inode: int

ref: str | None

pointer: str | None

drops: str | None

predicted_tick: str | None

ack_pingpong: str | None

congestion_window: str | None

size_threshold: str | None

protocol_string: str | None

local_ip: str | None

local_port: int | None

remote_ip: str | None

remote_port: int | None

state_string: str | None

owner: str | None

rx_queue: int | None

tx_queue: int | None

pid: int | None

name: str | None

cmdline: str | None

classmethod from_line(line: str, ip_vers: int = 4) → NetSocket

class dissect.target.plugins.os.unix.linux.proc.UnixSocket

num: str

ref: int

protocol: int

flags: str

type: int

state: int

inode: int

path: str | None

state_string: str | None

stream_type_string: str | None

protocol_string: str = 'unix'

classmethod from_line(line: str) → UnixSocket

class dissect.target.plugins.os.unix.linux.proc.PacketSocket

sk: int

ref: int

type: int

protocol: int

iface: int

r: int

rmem: int

user: int

inode: int

pid: int | None

name: str | None

cmdline: str | None

protocol_type: int | None

owner: str | None

protocol_string: str = 'packet'

classmethod from_line(line: str) → PacketSocket

class dissect.target.plugins.os.unix.linux.proc.Environ

variable: str

contents: str

class dissect.target.plugins.os.unix.linux.proc.ProcessStateEnum

Bases: dissect.target.helpers.utils.StrEnum

Sortable and serializible string-based enum

R = 'Running'

I = 'Idle'

S = 'Sleeping'

D = 'Waiting'

Z = 'Zombie'

T = 'Stopped'

t = 'Tracing'

X = 'Dead'

x = 'Dead'

K = 'Wakekill'

W = 'Waking'

P = 'Parked'

N = 'None'

dissect.target.plugins.os.unix.linux.proc.PROC_STAT_NAMES = ['pid', 'comm', 'state', 'ppid', 'pgrp', 'session', 'tty_nr', 'tpgid', 'flags', 'minflt',...

class dissect.target.plugins.os.unix.linux.proc.Sockets(target: dissect.target.target.Target)

class PacketProtocolTypes

Bases: enum.IntEnum

Enum where members are also (and must be) ints

ETH_P_802_3 = 1

ETH_P_AX25 = 2

ETH_P_ALL = 3

ETH_P_802_2 = 4

ETH_P_SNAP = 5

ETH_P_DDCMP = 6

ETH_P_WAN_PPP = 7

ETH_P_PPP_MP = 8

ETH_P_LOCALTALK = 9

ETH_P_CAN = 12

ETH_P_PPPTALK = 16

ETH_P_TR_802_2 = 17

ETH_P_MOBITEX = 21

ETH_P_CONTROL = 22

ETH_P_IRDA = 23

ETH_P_ECONET = 24

ETH_P_HDLC = 25

ETH_P_ARCNET = 26

ETH_P_DSA = 27

ETH_P_TRAILER = 28

ETH_P_PHONET = 245

ETH_P_IEEE802154 = 246

class SocketStreamType

Bases: enum.IntEnum

Enum where members are also (and must be) ints

STREAM = 1

DGRAM = 2

SEQPACKET = 5

class SocketStateType

Bases: enum.IntEnum

Enum where members are also (and must be) ints

LISTENING = 1

CONNECTED = 3

class TCPStates

Bases: enum.IntEnum

Enum where members are also (and must be) ints

DUMMY = 0

ESTABLISHED = 1

SYN_SENT = 2

SYN_RECV = 3

FIN_WAIT1 = 4

FIN_WAIT2 = 5

TIME_WAIT = 6

CLOSE = 7

CLOSE_WAIT = 8

LAST_ACK = 9

LISTEN = 10

CLOSING = 11

NEW_SYN_RECV = 12

MAX_STATES = 13

class UDPStates

Bases: enum.IntEnum

Enum where members are also (and must be) ints

DUMMY = 0

ESTABLISHED = 1

LISTEN = 7

packet() → Iterator[PacketSocket]

Yield parsed /proc/net/packet entries.

raw() → Iterator[NetSocket]

Yield parsed /proc/net/raw entries.

raw6() → Iterator[NetSocket]

Yield parsed /proc/net/raw6 entries.

tcp6() → Iterator[NetSocket]

Yield parsed /proc/net/tcp6 entries.

tcp() → Iterator[NetSocket]

Yield parsed /proc/net/tcp entries.

udp() → Iterator[NetSocket]

Yield parsed /proc/net/upd entries.

udp6() → Iterator[NetSocket]

Yield parsed /proc/net/udp6 entries.

unix() → Iterator[UnixSocket]

Yield parsed /proc/net/unix entries.

class dissect.target.plugins.os.unix.linux.proc.ProcProcess(target: dissect.target.target.Target, pid: int | str, proc_root: str = '/proc')

property owner: str

Return the username or the user ID (uid) (if owner is not found) of the owner of this process.

property uid: int

Return the user ID (uid) of the owner of this process.

property pid: int

Returns the process ID (pid) associated to this process.

property parent: ProcProcess | None

Returns the parent ProcProcess of this process.

property ppid: int | None

Returns the parent process ID (ppid) associated to this process.

property parent_name: str | None

Returns the name associated to the parent process ID (ppid) of this process.

property state: str

Returns the state of the process (S’leeping, R’unning, I’dle, etc).

property starttime: datetime.datetime

Returns the start time of the process.

property runtime: datetime.timedelta

Returns the runtime of a process until the moment of acquisition.

property now: datetime.datetime

Returns the now() timestamp of the system at the moment of acquisition.

property uptime: datetime.timedelta

Returns the uptime of the system from the moment it was acquired.

property cmdline: str

Return the command line of a process.

get(path: str) → pathlib.Path

Returns a TargetPath relative to this process.

environ() → Iterator[Environ]

Yields the content of the environ file associated with the process.

stat() → dissect.target.filesystem.fsutil.stat_result

Return a stat entry of the process.

class dissect.target.plugins.os.unix.linux.proc.ProcPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

• __namespace__

• __record_descriptors__

With the following three being assigned in register():

• __plugin__

• __functions__

• __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

• __exported__

• __output__: Set with the export() decorator.

• __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

__namespace__ = 'proc'

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

inode_map() → dict[int, list[ProcProcess]]

Creates a inode to pid mapping for all process IDs in /proc/[pid].

iter_proc() → Iterator[pathlib.Path]

Yields /proc/[pid] filesystems entries for every process id (pid) found in procfs.

inode_to_pids(inode: int) → list[ProcProcess]

process(pid: int | str) → ProcProcess

processes() → Iterator[ProcProcess]