вторник, 15 января 2013 г.

hidden processes in wincheck log

It`s easy to make cross-scan of processes and threads from scheduler (run wincheck with -sched or -full options) and analyze produced log
Simple perl script for this tedious task:


#!perl -w
# Lame script to find hidden processes from wincheck log
# 15 Jan 2013 (C) RedPlait
use strict;
use warnings;

sub parse_log
{
  my $fname = shift;
  my $fh;
  if ( !open($fh, '<', $fname) )
  {
    warn("Cannot open log file $fname, error $!\n");
    return;
  }
  my($str, %pids, $state, $pid);
  $state = 0;
  while( $str = <$fh> )
  {
    chomp $str;
    if ( !$state )
    {
      $state = 1 if ( $str eq '' );
      if ( $str =~ /^PID (\d+) / )
      {
        $pid = int($1);
        $pids{$pid} ||= $str;
      }
      next;
    }
    if ( (1 == $state) && $str =~ /^Scheduler: \d+/ )
    {
      $state = 2;
      next;
    }
    if ( 2 == $state )
    {
      $state = 1 if ( $str eq '' );
      if ( $str =~ /^ Thread .+ ProcID ([0-9A-F]+) ThreadID ([0-9A-F]+)/ )
      {
        $pid = hex($1);
        printf("Unknown process %d, TID %d\n", $pid, hex($2))
           if ( !exists $pids{$pid} );
      }
    }
  }
  close $fh;
}

# main
foreach (@ARGV)
{
  if ( $_ =~ /\*/ )
  {
    my $iter;
    foreach $iter ( glob($_) )
    {
      parse_log($iter);
    }
  } else {
    parse_log($_);
  }
}

Results:
Unknown process 2180, TID 27344

Комментариев нет:

Отправить комментарий