/usr/lib/python2.7/dist-packages/volatility/plugins/mac/pstree.py is in volatility 2.6-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | # Volatility
# Copyright (C) 2007-2013 Volatility Foundation
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility. If not, see <http://www.gnu.org/licenses/>.
#
"""
@author: Andrew Case
@license: GNU General Public License 2.0
@contact: atcuno@gmail.com
@organization:
"""
import volatility.plugins.mac.pstasks as pstasks
class mac_pstree(pstasks.mac_tasks):
""" Show parent/child relationship of processes """
def render_text(self, outfd, data):
self.procs_hash = {}
self.procs_seen = {}
outfd.write("{0:20s} {1:15s} {2:15s}\n".format("Name", "Pid", "Uid"))
for proc in data:
self.procs_hash[proc.p_pid] = proc
for pid in sorted(self.procs_hash.keys()):
proc = self.procs_hash[pid]
self._recurse_task(outfd, proc, 0)
def _recurse_task(self, outfd, proc, level):
if proc.p_pid in self.procs_seen:
return
proc_name = "." * level + proc.p_comm
outfd.write("{0:20s} {1:15s} {2:15s}\n".format(proc_name, str(proc.p_pid), str(proc.p_uid)))
self.procs_seen[proc.p_pid] = 1
proc = proc.p_children.lh_first
while proc.is_valid():
self._recurse_task(outfd, proc, level + 1)
proc = proc.p_sibling.le_next
|