class Ossi(object):
Root object for OSSI information
It provides interface to get useful information about OSSI for:
Must not be directly constructed but retrieved through the following examples.
>>> # From a reven_server >>> ossi = reven_server.ossi
Method | __init__ |
Undocumented |
Method | executed_binaries |
Get a generator over binaries that are executed in the trace. |
Method | executed_processes |
Get a generator over processes that are executed in the trace. |
Method | symbols |
Get a generator over symbols of executed binaries. |
Method | __repr__ |
Undocumented |
Instance Variable | _data_source |
Undocumented |
Get a generator over binaries that are executed in the trace.
Executed binaries can be filtered by their path:
It depends on the binary ranges resource. If unavailable, an exception will be raised.
>>> # Get all executed binaries >>> for binary in ossi.executed_binaries(): >>> print(binary.path) c:/windows/system32/ntoskrnl.exe c:/windows/system32/ntdll.dll ...
>>> # Get all executed binaries filtered by "ntdll" >>> for binary in ossi.executed_binaries("ntdll"): >>> print(binary.path) c:/windows/system32/ntdll.dll
>>> # Get all executed binaries filtered by "system32/.*.dll" >>> for binary in ossi.executed_binaries("system32/.*.dll"): >>> print(binary.path) c:/windows/system32/ntdll.dll ...
Parameters | pattern | the pattern used to filter binaries. |
Returns | A generator of reven2.ossi.Binary instances. | |
Raises | RuntimeError | if binary ranges resource is unavailable. |
Get a generator over processes that are executed in the trace.
Executed processes can be filtered by their name and/or their pid:
It depends on the ossi ranges resource. If unavailable, an exception will be raised.
>>> # Get all executed processes >>> for binary in ossi.executed_processes(): >>> print(process) cmd.exe (2716) ShellExperienceHost.exe (2044) svchost.exe (876) conhost.exe (2596) ...
>>> # Get all executed process filtered by name "host" >>> for process in ossi.executed_processes("host"): >>> print(process) ShellExperienceHost.exe (2044) svchost.exe (876) conhost.exe (2596) ...
>>> # Get all executed processes filtered by pid 2596 >>> for binary in ossi.executed_processes(pid=2596): >>> print(binary.path) conhost.exe (2596)
Parameters | pattern | the pattern used to filter processes. (type: _Optional[str] ) |
pid | the pid used to filter processes. (type: _Optional[int] ) | |
Returns | A generator of reven2.ossi.Process instances. (type: _Iterator[_Process] ) | |
Raises | RuntimeError | if ossi ranges resource is unavailable. |
Get a generator over symbols of executed binaries.
Symbols can be filtered by:
Symbols are fetched from the binary file itself and its related debug file, if any.
It depends on the binary ranges resource and OSSI feature. If one of them is unavailable, an exception will be raised.
If a binary file is not accessible from the provided filesystem, no symbols will be returned for that binary.
>>> # Get all symbols >>> for symbol in ossi.symbols(): >>> print('{} - {}'.format(symbol.name, symbol.binary.path)) NetWkstaGetInfo - c:/windows/system32/wkscli.dll NetUseEnum - c:/windows/system32/wkscli.dll NetGetJoinInformation - c:/windows/system32/wkscli.dll ...
>>> # Get all symbols filtered by name >>> for symbol in ossi.symbols("acpi"): >>> print('{} - {}'.format(symbol.name, symbol.binary.path)) HalpAcpiGetTableFromBios - c:/windows/system32/hal.dll ... PopFxFindAcpiDeviceByUniqueId - c:/windows/system32/ntoskrnl.exe ... ACPIDispatchIrp - c:/windows/system32/drivers/acpi.sys ...
>>> # Get all symbols filtered by name and binary path >>> for symbol in ossi.symbols("acpi", binary_hint="acpi.sys"): >>> print('{} - {}'.format(symbol.name, symbol.binary.path)) ACPIDispatchIrp - c:/windows/system32/drivers/acpi.sys ...
>>> # Get all symbols filtered by name in a case sensitive way >>> for symbol in ossi.symbols("acpi", case_sensitive=True): >>> print('{} - {}'.format(symbol.name, symbol.binary.path)) HalacpiIrqTranslateResourcesIsa - c:/windows/system32/hal.dll HalacpiIrqTranslateResourceRequirementsIsa - c:/windows/system32/hal.dll ...
Parameters | pattern | a regular expression used to compare symbols. |
binary_hint | a regular expression used to compare binaries's path. | |
case_sensitive | Whether the symbols comparison is case sensitive or not. | |
Returns | A generator of reven2.ossi.Symbol instances. | |
Raises | RuntimeError | if binary ranges resource is unavailable. |
RuntimeError | if OSSI feature is unavailable. |