def get_tasks(self):
debug.debug('Started get_tasks()')
addr_space = utils.load_as(self._config)
f = filescan.FileScan(self._config)
tasks = []
parsed_tasks = []
try:
for file in f.calculate():
filename = str(file.file_name_with_device() or '')
if "system32\\tasks\\" in filename.lower() and (('system32\\tasks\\microsoft' not in filename.lower() or self._config.VERBOSE)):
tasks.append((file.obj_offset, filename))
debug.debug("Found task: 0x{0:x} {1}".format(file.obj_offset, filename))
for offset, name in tasks:
self._config.PHYSOFFSET = '0x{:x}'.format(offset)
df = dumpfiles.DumpFiles(self._config)
self._config.DUMP_DIR = '.'
for data in df.calculate():
# Doing this with mmap would probably be cleaner
# Create a sufficiently large (dynamically resizable?)
# memory map so that we can seek and write the file accordingly
#
# SystemError: mmap: resizing not available--no mremap()
chopped_file = {}
for mdata in data['present']:
rdata = addr_space.base.read(mdata[0], mdata[2])
chopped_file[mdata[1]] = rdata
task_xml = "".join(part[1] for part in sorted(chopped_file.items(), key=lambda x: x[0]))
parsed = self.parse_task_xml(task_xml, name)
if parsed:
args = parsed['Actions']['Exec'].get("Arguments", None)
if args:
parsed['Actions']['Exec']['Command'] += " {}".format(args)
pids = self.find_pids_for_imagepath(parsed['Actions']['Exec']['Command'])
parsed_tasks.append((name.split('\\')[-1], parsed, task_xml, pids))
except Exception as e:
debug.warning('get_tasks() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_tasks()')
return parsed_tasks
