-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathforRunningProcesses.py
138 lines (118 loc) · 4.56 KB
/
forRunningProcesses.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
import os
import pickle
import run
import runningProcesses
import pandas as pd
from colorama import Fore
def loop_through(process, df):
"""
Search and find processes number asked by the user in the DataFrame and return it
"""
data = df.loc[df['ProcessId'] == process]
return data
def forward_process(process, df):
"""
Search, identify and print the processes - if applicable, generated by the process that is requested by the
user in the DatFrame
"""
data = df.loc[df['ParentProcessId'].isin([process])]
forward = data[['Services', 'ParentProcessId', 'ProcessId']]
forwardp = forward.to_string(index=False, header=True)
if forward.empty:
print('\n')
print(Fore.YELLOW + process + ' Does not execute other process(es) - i.e. not a parent process.')
else:
print('\n')
print(Fore.YELLOW + process + ' is a parent process of the following process(es):')
print('\n')
print(Fore.WHITE)
print(forwardp)
return 0
def process_ml(process_path):
"""
Once a path/command of a process is identified, it will be piped to the ML model for investigation.
"""
dir_path = os.path.dirname(os.path.realpath(__file__))
pml = pd.DataFrame(process_path['CommandLine']).to_string(index=False, header=False)
filename = dir_path + r'\ML\cmdModel.sav'
vectfile = dir_path + r'\ML\vecFile.sav'
se_model = pickle.load(open(filename, 'rb'))
load_vect = pickle.load(open(vectfile, 'rb'))
if pd.DataFrame(process_path['CommandLine']).isnull().values.any():
print('\nNo command(s) found -NaN')
elif pd.DataFrame(process_path['CommandLine']).empty:
print('\nDataFrame -Commands not found')
else:
text = load_vect.transform([pml])
print_this = se_model.predict(text)
print_prob = se_model.predict_proba(text) * 100
print(Fore.WHITE + '\n')
if print_this == 1:
print(
'Machine Learning model classifies ' + Fore.GREEN + ' ' + pml + Fore.WHITE + ' to be ' + Fore.RED
+ 'suspicious.' + Fore.WHITE + ' Please consider its percentage scores shown below: ')
print(pd.DataFrame(print_prob).to_string(index=False, header=True))
elif print_this == 0:
print(
Fore.WHITE + 'Machine Learning model classifies' + Fore.GREEN + ' ' + pml + Fore.WHITE + ' to be ' +
Fore.GREEN + 'genuine' + Fore.WHITE + ' Please consider its percentage scores shown below: ')
print(pd.DataFrame(print_prob).to_string(index=False, header=True))
else:
print('No command to learn about')
return 0
def more_processes():
"""
Asking user to continue finding more processes
"""
m_process = str(input('\nMore processes to trace y/n: ')).lower().strip()
if m_process == 'y':
runningProcesses.live_process()
elif m_process == 'n':
run.user_input()
else:
more_processes()
return 0
def dll(process, df_dll):
"""
Extract dll-s files from the DataFrame for the requested process
"""
dll_data = df_dll[['PID', 'Size', 'Path']]
dlls = dll_data.loc[dll_data['PID'] == process]
dll_paths = dlls[['Path', 'Size']]
dll_paths = pd.DataFrame(dll_paths).to_string(index=False, header=True)
if dlls.empty:
print('\n')
print(Fore.YELLOW + process + ' DLLs or relevant data cannot be found.')
#print('\n')
#print(Fore.YELLOW + '-' * 110)
print(Fore.WHITE)
else:
print(Fore.YELLOW + 'Process ' + process + ' and its Dll association ')
print(Fore.WHITE)
print(dll_paths)
return 0
def handles(process, df_handles):
"""
Extract dll-s files from the DataFrame for the requested process
"""
data_handles = df_handles.loc[df_handles['PID'] == process]
data_handles = pd.DataFrame(data_handles).dropna()
handle_s = data_handles[['PID', 'Offset', 'HandleValue', 'Type', 'GrantedAccess', 'Name']]
handles_p = handle_s.to_string(index=False, header=True)
if handle_s.empty:
print('\n')
print(Fore.YELLOW + '-' * 110)
print(Fore.YELLOW + 'Process ' + process + ' Handles cannot be found.')
print('\n')
print(Fore.YELLOW + '-' * 110)
print(Fore.WHITE)
else:
print('\n')
print(Fore.YELLOW + 'Process ' + process + ' associates with the followings handles')
print('\n')
print(Fore.WHITE)
print(handles_p)
print('\n')
print(Fore.YELLOW + '-' * 110)
print(Fore.WHITE)
return 0