My Drive #!/usr/bin/python # Author: Amit Malik, Uptycs Inc. # Build process tree from osquery output import os import sys import json global ids def get_cmdline(pid,gdict): for en in gdict: try: if int(en['pid']) == pid: name = en['path'].strip() cmdline = en['cmdline'].strip() return name,cmdline except Exception,e: print e return False, False def get_parent_child(gdict): tmp = {} for en in gdict: try: value = [] pid = int(en["pid"].strip()) parent = int(en["parent"].strip()) if tmp.has_key(parent): value = tmp[parent] value.append(pid) else: value.append(pid) tmp[parent] = value except: pass return tmp def populate_tree(lst, ppid, name,gdict): if ppid in ids: children = [] name,cmdline = get_cmdline(ppid,gdict) lst.append({"process_name": name, "pid":ppid, "command_line_args":cmdline, "child_processes": children}) for pid in ids[ppid]: populate_tree(children, pid, pid,gdict) else: name,cmdline = get_cmdline(ppid,gdict) lst.append({"process_name": name, "pid":ppid, "command_line_args":cmdline}) def parse_data(data): global_dict = [] entries = data.split("\n\n") for en in entries: tmp = {} env = en.split("\n") if len(env) > 4: for l in env: ld = l.split('=') if len(ld) > 1: tmp[ld[0].strip()] = '='.join(ld[1:]).strip() #print tmp global_dict.append(tmp) return global_dict def run_analysis(gdict): #while True: global ids parent_child = get_parent_child(gdict) ids = parent_child print parent_child for parent in parent_child.keys(): tr = [] print print "for parent", parent if parent != 0 and parent != 1: populate_tree(tr,parent,parent,gdict) print(json.dumps(tr[0], indent=4)) def main(): fname = sys.argv[1] data = open(fname,'r').read() gdict = parse_data(data) run_analysis(gdict) if __name__ == '__main__': main()