sysdiagnose icon indicating copy to clipboard operation
sysdiagnose copied to clipboard
verified publisher icon EC-DIGIT-CSIRC

Feature/add uid to ps everywhere

Open itayfoT opened this issue 1 month ago • 2 comments

Add UID Extraction to ps_everywhere Analyzer

Summary

Adds User ID (UID) field to ps_everywhere analyzer output for security analysis and forensic investigations.

Changes

  • Extract UID from ps.txt, psthread.txt, spindump-nosymbols.txt, and logarchive (euid)
  • Add _sanitize_uid() helper to filter invalid placeholder values (0xAAAAAAAA, 0xFFFFFFFF)
  • Update deduplication logic to consider UID - same process with different UIDs tracked separately
  • Set uid: None for sources without UID information

Output

{
  "data": {
    "source": "ps.txt",
    "uid": 0
  }
}

itayfoT avatar Nov 05 '25 19:11 itayfoT

Hey @itayfoT, thanks for the PR. Very much appreciated. But would you mind to remove the changes related to orjson in it? You have already opened another one PR #209 on that topic.

dario-br avatar Nov 13 '25 15:11 dario-br

Hi @dario-br thank you for your response, removed

itayfoT avatar Nov 14 '25 11:11 itayfoT