class documentation

class Ossi(object):

View In Hierarchy

Root object for OSSI information

It provides interface to get useful information about OSSI for:

  • the whole trace like executed binary.
  • for a particular context.

Warnings

Must not be directly constructed but retrieved through the following examples.

Examples

>>> # From a reven_server
>>> ossi = reven_server.ossi
Method __init__ Undocumented
Method executed_binaries Get a generator over binaries that are executed in the trace.
Method executed_processes Get a generator over processes that are executed in the trace.
Method symbols Get a generator over symbols of executed binaries.
Method __repr__ Undocumented
Instance Variable _data_source Undocumented
def __init__(self, _data_source):

Undocumented

_data_source =

Undocumented

def executed_binaries(self, pattern=None):

Get a generator over binaries that are executed in the trace.

Executed binaries can be filtered by their path:

  • filter enabled if the `pattern` argument is not None.
  • a `contains` approach is used.
  • the filtered pattern is a regular expression.
  • is case insensitive.

Warnings

It depends on the binary ranges resource. If unavailable, an exception will be raised.

Examples

>>> # Get all executed binaries
>>> for binary in ossi.executed_binaries():
...     print(binary.path)
c:/windows/system32/ntoskrnl.exe
c:/windows/system32/ntdll.dll
...
>>> # Get all executed binaries filtered by "ntdll"
>>> for binary in ossi.executed_binaries("ntdll"):
...     print(binary.path)
c:/windows/system32/ntdll.dll
>>> # Get all executed binaries filtered by "system32/.*.dll"
>>> for binary in ossi.executed_binaries("system32/.*.dll"):
...     print(binary.path)
c:/windows/system32/ntdll.dll
...

Information

Parameterspatternthe pattern used to filter binaries.
ReturnsA generator of reven2.ossi.Binary instances.
RaisesRuntimeErrorif binary ranges resource is unavailable.
def executed_processes(self, pattern=None, pid=None):

Get a generator over processes that are executed in the trace.

Executed processes can be filtered by their name and/or their pid:

  • filter enabled if the `pattern` argument is not `None`, or `pid` argument is not `None`
  • to filter by their name, a `contains` approach is used.
  • the filtered pattern is a regular expression and case insensitive.

Warnings

It depends on the ossi ranges resource. If unavailable, an exception will be raised.

Examples

>>> # Get all executed processes
>>> for binary in ossi.executed_processes():
...     print(process)
cmd.exe (2716)
ShellExperienceHost.exe (2044)
svchost.exe (876)
conhost.exe (2596)
...
>>> # Get all executed process filtered by name "host"
>>> for process in ossi.executed_processes("host"):
...     print(process)
ShellExperienceHost.exe (2044)
svchost.exe (876)
conhost.exe (2596)
...
>>> # Get all executed processes filtered by pid 2596
>>> for binary in ossi.executed_processes(pid=2596):
...     print(binary.path)
conhost.exe (2596)

Information

Parameterspatternthe pattern used to filter processes. (type: _Optional[str])
pidthe pid used to filter processes. (type: _Optional[int])
ReturnsA generator of reven2.ossi.Process instances. (type: _Iterator[_Process])
RaisesRuntimeErrorif ossi ranges resource is unavailable.
def symbols(self, pattern=None, binary_hint=None, case_sensitive=False):

Get a generator over symbols of executed binaries.

Symbols can be filtered by:

  • the name:
    • filter enabled if the `pattern` argument is not None.
    • a `contains` approch is used.
    • the filter pattern is a regular expression.
    • case sensitive depending on the `case_sensitive` argument
  • the executed binary's path.
    • filter enabled if the `binary_hint` argument is not None.
    • a `contains` approach is used.
    • the filter pattern is a regular expression.
    • is case insensitive.

Symbols are fetched from the binary file itself and its related debug file, if any.

Warnings

It depends on the binary ranges resource and OSSI feature. If one of them is unavailable, an exception will be raised.

If a binary file is not accessible from the provided filesystem, no symbols will be returned for that binary.

Examples

>>> # Get all symbols
>>> for symbol in ossi.symbols():
...     print('{} - {}'.format(symbol.name, symbol.binary.path))
NetWkstaGetInfo - c:/windows/system32/wkscli.dll
NetUseEnum - c:/windows/system32/wkscli.dll
NetGetJoinInformation - c:/windows/system32/wkscli.dll
...
>>> # Get all symbols filtered by name
>>> for symbol in ossi.symbols("acpi"):
...     print('{} - {}'.format(symbol.name, symbol.binary.path))
HalpAcpiGetTableFromBios - c:/windows/system32/hal.dll
...
PopFxFindAcpiDeviceByUniqueId - c:/windows/system32/ntoskrnl.exe
...
ACPIDispatchIrp - c:/windows/system32/drivers/acpi.sys
...
>>> # Get all symbols filtered by name and binary path
>>> for symbol in ossi.symbols("acpi", binary_hint="acpi.sys"):
...     print('{} - {}'.format(symbol.name, symbol.binary.path))
ACPIDispatchIrp - c:/windows/system32/drivers/acpi.sys
...
>>> # Get all symbols filtered by name in a case sensitive way
>>> for symbol in ossi.symbols("acpi", case_sensitive=True):
...     print('{} - {}'.format(symbol.name, symbol.binary.path))
HalacpiIrqTranslateResourcesIsa - c:/windows/system32/hal.dll
HalacpiIrqTranslateResourceRequirementsIsa - c:/windows/system32/hal.dll
...

Information

Parameterspatterna regular expression used to compare symbols.
binary_hinta regular expression used to compare binaries's path.
case_sensitiveWhether the symbols comparison is case sensitive or not.
ReturnsA generator of reven2.ossi.Symbol instances.
RaisesRuntimeErrorif binary ranges resource is unavailable.
RuntimeErrorif OSSI feature is unavailable.
def __repr__(self):

Undocumented

API Documentation for reven2, generated by pydoctor 21.2.2 at 2021-11-30 13:56:46.