可使用本节内容创建 rawProcessInfo.json、rawProcessWMIInfo.json 和 os.json 文件。这些脚本在基于 Windows 操作系统的虚拟机的侦测期间运行,用于收集进程详细信息、操作系统详细信息和网络详细信息。
rawProcessInfo.json 文件示例
注:
- 可以使用
Get-Process -IncludeUserName命令,并将其转换成 JSON 文件以收集进程详细信息。 - 示例 JSON 文件中的键非常重要。
-可以是特定于进程的任何内容。- 使用正确的值更改括号
<>字符串,其中- <number> 为整数类型
- <text> 为字符串类型
- <boolean> 为 true 或 false
-
<?>也可以为空
-
{ } 括号表示特定对象
- [ ] 括号表示列表,可以包含多个类似的对象。
[
{
"BasePriority": <number>,
"ExitCode": <number>,
"HasExited": <boolean>,
"ExitTime": <time or null>,
"Handle": <number>,
"SafeHandle": {
"IsInvalid": <boolean>,
"IsClosed": <boolean>
},
"HandleCount": <number>,
"Id": <number>,
"MachineName": <string>,
"MainWindowHandle": <number>,
"MainWindowTitle": <string>,
"MainModule": {
"ModuleName": <string>,
"FileName": <string>,
"BaseAddress": <number>,
"ModuleMemorySize": <number>,
"EntryPointAddress": <number>,
"FileVersionInfo": <string>,
"Site": null,
"Container": null
},
"MaxWorkingSet": <number>,
"MinWorkingSet": <number>,
"Modules": [
<string>
],
"NonpagedSystemMemorySize": <number>,
"NonpagedSystemMemorySize64": <number>,
"PagedMemorySize": <number>,
"PagedMemorySize64": <number>,
"PagedSystemMemorySize": <number>,
"PagedSystemMemorySize64": <number>,
"PeakPagedMemorySize": <number>,
"PeakPagedMemorySize64": <number>,
"PeakWorkingSet": <number>,
"PeakWorkingSet64": <number>,
"PeakVirtualMemorySize": <number>,
"PeakVirtualMemorySize64": <number>,
"PriorityBoostEnabled": <boolean>,
"PriorityClass": <number>,
"PrivateMemorySize": <number>,
"PrivateMemorySize64": <number>,
"PrivilegedProcessorTime": {
"Ticks": <number>,
"Days": <number>,
"Hours": <number>,
"Milliseconds": <number>,
"Minutes": <number>,
"Seconds": <number>,
"TotalDays": <number>,
"TotalHours": <number>,
"TotalMilliseconds": <number>,
"TotalMinutes": <number>,
"TotalSeconds": <number>
},
"ProcessName": <string>,
"ProcessorAffinity": <number>,
"Responding": <boolean>,
"SessionId": <number>,
"StartInfo": {
"Verb": <number>,
"Arguments": <number>,
"CreateNoWindow": <boolean>,
"EnvironmentVariables": <string>,
"Environment": “[<key1>, <value>] [<key2>,<value>]",
"RedirectStandardInput": <boolean>,
"RedirectStandardOutput": <boolean>,
"RedirectStandardError": <boolean>,
"StandardErrorEncoding": <string>,
"StandardOutputEncoding": <string>,
"UseShellExecute": <boolean>,
"Verbs": <string>,
"UserName": <string>,
"Password": <string>,
"PasswordInClearText": <string>,
"Domain": <string>,
"LoadUserProfile": <boolean>,
"FileName": <string>,
"WorkingDirectory": <string>,
"ErrorDialog": <boolean>,
"ErrorDialogParentHandle": <number>,
"WindowStyle": <number>
},
"StartTime": <string>,
"SynchronizingObject": null,
"Threads": [
<string1>,
<string2>
],
"TotalProcessorTime": {
"Ticks": <number>,
"Days": <number>,
"Hours": <number>,
"Milliseconds": <number>,
"Minutes": <number>,
"Seconds": <number>,
"TotalDays": <number>,
"TotalHours": <number>,
"TotalMilliseconds": <number>,
"TotalMinutes": <number>,
"TotalSeconds": <number>
},
"UserProcessorTime": {
"Ticks": <number>,
"Days": <number>,
"Hours": <number>,
"Milliseconds": <number>,
"Minutes": <number>,
"Seconds": <number>,
"TotalDays": <number>,
"TotalHours": <number>,
"TotalMilliseconds": <number>,
"TotalMinutes": <number>,
"TotalSeconds": <number>
},
"VirtualMemorySize": <number>,
"VirtualMemorySize64": <number>,
"EnableRaisingEvents": <boolean>,
"StandardInput": null,
"StandardOutput": null,
"StandardError": null,
"WorkingSet": <number>,
"WorkingSet64": <number>,
"Site": null,
"Container": null,
"UserName": <string>,
"Name": "inetinfo",
"SI": <number>,
"Handles": <number>,
"VM": <number>,
"WS": <number>,
"PM": <number>,
"NPM": <number>,
"Path": <string>,
"Company": <string>,
"CPU": <number>,
"FileVersion": <string>,
"ProductVersion": <string>,
"Description": <string>,
"Product": <string>,
"__NounName": <string>
},
{
...
}
]
示例 rawProcessWMIInfo.json 文件
注:
rawProcessWMIInfo.json 文件必须位于其中包含有关运行中进程的更多详细信息的同一个工作目录下。可以在 powershell 中使用
Get-WmiObject -Class Win32_Process 命令,将其转换成 JSON 文件并随后保存,以收集进程详细信息。
[
{
"Scope": {
"IsConnected": <boolean>,
"Options": "<text>",
"Path": "<text>"
},
"Path": {
"Path": "<text>",
"RelativePath": "<text>",
"Server": "<text>",
"NamespacePath": "<text>",
"ClassName": "<text>",
"IsClass": <boolean>,
"IsInstance": <boolean>,
"IsSingleton": <boolean>
},
"Options": {
"UseAmendedQualifiers": <boolean>,
"Context": "",
"Timeout": "<text>"
},
"ClassPath": {
"Path": "<text>",
"RelativePath": "<text>",
"Server": "<text>",
"NamespacePath": "<text>",
"ClassName": "<text>",
"IsClass": <boolean>,
"IsInstance": <boolean>,
"IsSingleton": <boolean>
},
"Properties": [
"<text>"
],
"SystemProperties": [
"<text>"
],
"Qualifiers": [
"<text>"
],
"Site": null,
"Container": null,
"PSComputerName": "<text>",
"ProcessName": "<text>",
"Handles": <number>,
"VM": <number>,
"WS": <number>,
"__GENUS": <number>,
"__CLASS": "<text>",
"__SUPERCLASS": "<text>",
"__DYNASTY": "<text>",
"__RELPATH": "<text>",
"__PROPERTY_COUNT": <number>,
"__DERIVATION": [
"<text>"
],
"__SERVER": "<text>",
"__NAMESPACE": "<text>",
"__PATH": "<text>",
"Caption": "<text>",
"CommandLine": null,
"CreationClassName": "<text>",
"CreationDate": "<text>",
"CSCreationClassName": "<text>",
"CSName": "<text>",
"Description": "<text>",
"ExecutablePath": null,
"ExecutionState": null,
"Handle": "<number>",
"HandleCount": <number>,
"InstallDate": null,
"KernelModeTime": <number>,
"MaximumWorkingSetSize": null,
"MinimumWorkingSetSize": null,
"Name": "<text>",
"OSCreationClassName": "<text>",
"OSName": "<text>",
"OtherOperationCount": <number>,
"OtherTransferCount": <number>,
"PageFaults": <number>,
"PageFileUsage": <number>,
"ParentProcessId": <number>,
"PeakPageFileUsage": <number>,
"PeakVirtualSize": <number>,
"PeakWorkingSetSize": <number>,
"Priority": <number>,
"PrivatePageCount": <number>,
"ProcessId": <number>,
"QuotaNonPagedPoolUsage": <number>,
"QuotaPagedPoolUsage": <number>,
"QuotaPeakNonPagedPoolUsage": <number>,
"QuotaPeakPagedPoolUsage": <number>,
"ReadOperationCount": <number>,
"ReadTransferCount": <number>,
"SessionId": <number>,
"Status": null,
"TerminationDate": null,
"ThreadCount": <number>,
"UserModeTime": <number>,
"VirtualSize": <number>,
"WindowsVersion": "<text>",
"WorkingSetSize": <number>,
"WriteOperationCount": <number>,
"WriteTransferCount": <number>
}
]
os.json 文件示例
注:
- os.json 文件必须位于包含设备操作系统特定详细信息的同一工作目录下。可以在 powershell 中使用
(Get-WmiObject -class Win32_OperatingSystem).Caption命令。 - 示例 JSON 中的键非常重要。
--可以是特定于操作系统的任何内容。例如:对于 Windows 2016 Server,<text> 可以是 Microsoft Windows Server 2016 Standard。
{
"network_detailed": [],
"interfaces": [
"------"
],
"ipv6": [
"-:----::----:----:----:----"
],
"ipv4": [
"---.---.---.---"
],
"mac_address": {
"---": "--:--:--:--:--:--"
},
"os_info": "--------------------------------------"
socketsOutFile.txt 文件示例
socketsOutFile.txt 文件必须位于其中包含所有套接字相关信息的同一个工作目录下。可以在 powershell 中使用 (netstat -bano | Out-String) -replace '(?m)^ (TCP|UDP)', '$1' -replace '\r?\n\s+([^\[])', "`t`$1" -replace '\r?\n\s+\[', "`t["”
Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4 Can not obtain ownership information TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 736 RpcSs [svchost.exe] ...
注:
- 要查看任务下的日志,请将这些日志保存到同一工作目录下的 iris-agent.log 文件中。
- 必须通过使用可接受以下参数的
initpowershell 脚本来运行 CPDA:-osOutFile os.json-processOutFile rawProcessInfo.json-socketsOutFile socketsOutFile.txt例如:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Temp\irisAgent\WindowsCollector.ps1 -osOutFile os.json -processOutFile rawProcessInfo.json -socketsOutFile socketsOutFile.txt
- CPDA 必须更新 rawProcessInfo.json、os.json 和 socketsOutFile.txt,以便可在侦测任务中进行读取。
- 可以将 CPDA 文件保存为 .ZIP 文件,并添加自定义 CPDA 配置。
