sysdiagnose icon indicating copy to clipboard operation
sysdiagnose copied to clipboard
verified publisher icon EC-DIGIT-CSIRC

Update ps.py

Open Darkaxt opened this issue 4 months ago • 2 comments

Enhance ps.py parser with improved forensic analysis

Darkaxt avatar Jul 31 '25 10:07 Darkaxt

Thank you for the contribution. There are a few points of attention:

  • process_title_mapping would improve readability. However the issue is that it also transforms something into something else. When ps reports for example that sshd is running. We don't know if it's the legitimate one from /usr/sbin/sshd or an evil from /evil/sshd. So we cannot afford to substitute this and make it look like it's legitimate. The mapping must be removed.

  • which standard did you use for the field_mapping column conversion? Currently multiple other files also use names such as uid or mem, %mem, cpu, %cpu. If we create unity we'll need to do that across all of the files. (psthread, pslist, ..)

  • can you also have a quick look at the failing unit test ?

cvandeplas avatar Aug 26 '25 13:08 cvandeplas

Thank you for the contribution. There are a few points of attention:

  • process_title_mapping would improve readability. However the issue is that it also transforms something into something else. When ps reports for example that sshd is running. We don't know if it's the legitimate one from /usr/sbin/sshd or an evil from /evil/sshd. So we cannot afford to substitute this and make it look like it's legitimate. The mapping must be removed.
  • which standard did you use for the field_mapping column conversion? Currently multiple other files also use names such as uid or mem, %mem, cpu, %cpu. If we create unity we'll need to do that across all of the files. (psthread, pslist, ..)
  • can you also have a quick look at the failing unit test ?

ok, fields mapping out, only (ps) will cause issues based on the narrow sample that we have. the columns mapping is needed since no one will understand

field_mapping = {
            'f': 'process_flags_bitmask',
            'ni': 'nice_priority_adjustment',
            'pri': 'kernel_priority',
            'prsna': 'process_resident_address',
            'rss': 'physical_memory_kb',
            'vsz': 'virtual_memory_kb',
            'tt': 'controlling_terminal',
            'wchan': 'kernel_wait_channel',
            'uid': 'owner_user_id',
            'cpu': 'cpu_usage_percent',
            'mem': 'memory_usage_percent'
        }

unless they have enough unix experience... (not my case)

The failing unit test has to do with the field_mapping

Darkaxt avatar Sep 10 '25 09:09 Darkaxt