我正在使用winappdbg debug,创建一个eventhandler,将createfile函数挂接到我附加到调试器的进程上。我不能使用“loop”func,因为这样调试器是不可禁用的,所以我使用其他函数。在取消附加并查看发生了多少createfile调用之后,我正在尝试获取进程的cpu进程,它们将自动变为0。我认为这是因为调试器,但不知道为什么
如果为真: 钩住=[]
eventhandelerobject = hooking4.EventReciever()
debugger = Debug(eventhandelerobject,False)
"""hooking"""
for procid in psutil.pids():
if not whitelist5.inlist(procid):
print procid
try:
debugger.attach(procid)
hooked.append(procid)
print "Initialized!"+str(procid)
errorfile.write("Initialized!"+str(procid))
except Exception as ex:
print ex
errorfile.write(str(ex)+str(procid))
run_time = 60
start = time.clock()
time_passed = 10
print "start"
while time.clock()-start<60:
#############################
if time.clock()-start>time_passed:
for procid in psutil.pids():
if not whitelist5.inlist(procid) and procid not in hooked:
try:
debugger.attach(procid)
hooked.append(procid)
print "Initialized!"+str(procid)
except:
continue
######################################
time_passed+=10
try:
#debugger.next()
event = debugger.wait(1000)
debugger.dispatch(event)
debugger.cont(event)
except:
continue
print "stop"
print "part2"
over_cpu_mem_id = cpu_mem4.dangerous_cpu_and_mem(0,0)
counter = hooking_count.Count.counterdict
print "counter:"
print counter
sorted_counter = sorted(counter.items(), key=operator.itemgetter(1))
if over_cpu_mem_id >= 1:
if registry4.manage() and not whitelist5.inlist(over_cpu_mem_id):
print "cpu+registry , not in whitelist"
pid_being_suspected = over_cpu_mem_id
if file4.mannge(filesnumber, timeinseconds):
print "files are changing..."
if len(sorted_counter)>0:
most_createfiles = sorted_counter[0][1]
pid = sorted_counter[0][0]
#############################
exe = psutil.Process(pid).exe()
print exe
cpuexe = psutil.Process(over_cpu_mem_id).exe()
print cpuexe
######################
if most_createfiles >= 100 and pid == over_cpu_mem_id:
process_control5.process_dealing(pid)
elif pid_being_suspected >0 and len(sorted_counter)>0:
most_createfiles = sorted_counter[0][1]
pid = sorted_counter[0][0]
if most_createfiles >= 100 and pid == pid_being_suspected:
process_control5.process_dealing(pid)
pid_being_suspected = -1
print "no danger"
hooking_count.Count.reset_dict()
time.sleep(10)
debugger.stop()
我不太确定,因为我从未尝试过获取已调试进程的CPU使用率,但我怀疑这是因为当您尝试并测量时,已调试进程会暂停。通常,当调试器取得控制权时,被调试的进程将被冻结,因此您将始终看到0%的使用率。你知道吗
如果是这样的话,解决办法就相当复杂了。您必须编写两个脚本(或者一个脚本,但运行两次)。调试目标、收集所有进程ID和打开的文件的程序。另一个测量CPU使用率,并行。你知道吗
相关问题 更多 >
编程相关推荐