可使用本節內容建立 rawProcessInfo.json、rawProcessWMIInfo.json 和 os.json 檔案。這些指令碼在基於 Windows 作業系統的虛擬機器的自我檢查期間執行,用於收集程序詳細資料、作業系統詳細資料和網路詳細資料。
rawProcessInfo.json 檔案示例
備註:
- 可以使用
Get-Process -IncludeUserName命令,並將其轉換成 JSON 檔案以收集程序詳細資料。 - 示例 JSON 檔案中的金鑰非常重要。
-可以是特定於程序的任何內容。- 使用正確的值變更括號
<>字串,其中- <number> 為整數類型
- <text> 為字串類型
- <boolean> 為 true 或 false
-
<?>也可以為空值
-
{ } 括弧表示特定物件
- [ ] 括弧表示清單,可以包含多個類似的物件。
[
{
"BasePriority": <number>,
"ExitCode": <number>,
"HasExited": <boolean>,
"ExitTime": <time or null>,
"Handle": <number>,
"SafeHandle": {
"IsInvalid": <boolean>,
"IsClosed": <boolean>
},
"HandleCount": <number>,
"Id": <number>,
"MachineName": <string>,
"MainWindowHandle": <number>,
"MainWindowTitle": <string>,
"MainModule": {
"ModuleName": <string>,
"FileName": <string>,
"BaseAddress": <number>,
"ModuleMemorySize": <number>,
"EntryPointAddress": <number>,
"FileVersionInfo": <string>,
"Site": null,
"Container": null
},
"MaxWorkingSet": <number>,
"MinWorkingSet": <number>,
"Modules": [
<string>
],
"NonpagedSystemMemorySize": <number>,
"NonpagedSystemMemorySize64": <number>,
"PagedMemorySize": <number>,
"PagedMemorySize64": <number>,
"PagedSystemMemorySize": <number>,
"PagedSystemMemorySize64": <number>,
"PeakPagedMemorySize": <number>,
"PeakPagedMemorySize64": <number>,
"PeakWorkingSet": <number>,
"PeakWorkingSet64": <number>,
"PeakVirtualMemorySize": <number>,
"PeakVirtualMemorySize64": <number>,
"PriorityBoostEnabled": <boolean>,
"PriorityClass": <number>,
"PrivateMemorySize": <number>,
"PrivateMemorySize64": <number>,
"PrivilegedProcessorTime": {
"Ticks": <number>,
"Days": <number>,
"Hours": <number>,
"Milliseconds": <number>,
"Minutes": <number>,
"Seconds": <number>,
"TotalDays": <number>,
"TotalHours": <number>,
"TotalMilliseconds": <number>,
"TotalMinutes": <number>,
"TotalSeconds": <number>
},
"ProcessName": <string>,
"ProcessorAffinity": <number>,
"Responding": <boolean>,
"SessionId": <number>,
"StartInfo": {
"Verb": <number>,
"Arguments": <number>,
"CreateNoWindow": <boolean>,
"EnvironmentVariables": <string>,
"Environment": “[<key1>, <value>] [<key2>,<value>]",
"RedirectStandardInput": <boolean>,
"RedirectStandardOutput": <boolean>,
"RedirectStandardError": <boolean>,
"StandardErrorEncoding": <string>,
"StandardOutputEncoding": <string>,
"UseShellExecute": <boolean>,
"Verbs": <string>,
"UserName": <string>,
"Password": <string>,
"PasswordInClearText": <string>,
"Domain": <string>,
"LoadUserProfile": <boolean>,
"FileName": <string>,
"WorkingDirectory": <string>,
"ErrorDialog": <boolean>,
"ErrorDialogParentHandle": <number>,
"WindowStyle": <number>
},
"StartTime": <string>,
"SynchronizingObject": null,
"Threads": [
<string1>,
<string2>
],
"TotalProcessorTime": {
"Ticks": <number>,
"Days": <number>,
"Hours": <number>,
"Milliseconds": <number>,
"Minutes": <number>,
"Seconds": <number>,
"TotalDays": <number>,
"TotalHours": <number>,
"TotalMilliseconds": <number>,
"TotalMinutes": <number>,
"TotalSeconds": <number>
},
"UserProcessorTime": {
"Ticks": <number>,
"Days": <number>,
"Hours": <number>,
"Milliseconds": <number>,
"Minutes": <number>,
"Seconds": <number>,
"TotalDays": <number>,
"TotalHours": <number>,
"TotalMilliseconds": <number>,
"TotalMinutes": <number>,
"TotalSeconds": <number>
},
"VirtualMemorySize": <number>,
"VirtualMemorySize64": <number>,
"EnableRaisingEvents": <boolean>,
"StandardInput": null,
"StandardOutput": null,
"StandardError": null,
"WorkingSet": <number>,
"WorkingSet64": <number>,
"Site": null,
"Container": null,
"UserName": <string>,
"Name": "inetinfo",
"SI": <number>,
"Handles": <number>,
"VM": <number>,
"WS": <number>,
"PM": <number>,
"NPM": <number>,
"Path": <string>,
"Company": <string>,
"CPU": <number>,
"FileVersion": <string>,
"ProductVersion": <string>,
"Description": <string>,
"Product": <string>,
"__NounName": <string>
},
{
...
}
]
rawProcessWMIInfo.json 檔案示例
備註:
rawProcessWMIInfo.json 檔案必須位於其中包含有關執行中程序的更多詳細資料的同一個工作目錄下。可以在 powershell 中使用
Get-WmiObject -Class Win32_Process 命令,將其轉換成 JSON 檔案並隨後儲存,以收集程序詳細資料。
[
{
"Scope": {
"IsConnected": <boolean>,
"Options": "<text>",
"Path": "<text>"
},
"Path": {
"Path": "<text>",
"RelativePath": "<text>",
"Server": "<text>",
"NamespacePath": "<text>",
"ClassName": "<text>",
"IsClass": <boolean>,
"IsInstance": <boolean>,
"IsSingleton": <boolean>
},
"Options": {
"UseAmendedQualifiers": <boolean>,
"Context": "",
"Timeout": "<text>"
},
"ClassPath": {
"Path": "<text>",
"RelativePath": "<text>",
"Server": "<text>",
"NamespacePath": "<text>",
"ClassName": "<text>",
"IsClass": <boolean>,
"IsInstance": <boolean>,
"IsSingleton": <boolean>
},
"Properties": [
"<text>"
],
"SystemProperties": [
"<text>"
],
"Qualifiers": [
"<text>"
],
"Site": null,
"Container": null,
"PSComputerName": "<text>",
"ProcessName": "<text>",
"Handles": <number>,
"VM": <number>,
"WS": <number>,
"__GENUS": <number>,
"__CLASS": "<text>",
"__SUPERCLASS": "<text>",
"__DYNASTY": "<text>",
"__RELPATH": "<text>",
"__PROPERTY_COUNT": <number>,
"__DERIVATION": [
"<text>"
],
"__SERVER": "<text>",
"__NAMESPACE": "<text>",
"__PATH": "<text>",
"Caption": "<text>",
"CommandLine": null,
"CreationClassName": "<text>",
"CreationDate": "<text>",
"CSCreationClassName": "<text>",
"CSName": "<text>",
"Description": "<text>",
"ExecutablePath": null,
"ExecutionState": null,
"Handle": "<number>",
"HandleCount": <number>,
"InstallDate": null,
"KernelModeTime": <number>,
"MaximumWorkingSetSize": null,
"MinimumWorkingSetSize": null,
"Name": "<text>",
"OSCreationClassName": "<text>",
"OSName": "<text>",
"OtherOperationCount": <number>,
"OtherTransferCount": <number>,
"PageFaults": <number>,
"PageFileUsage": <number>,
"ParentProcessId": <number>,
"PeakPageFileUsage": <number>,
"PeakVirtualSize": <number>,
"PeakWorkingSetSize": <number>,
"Priority": <number>,
"PrivatePageCount": <number>,
"ProcessId": <number>,
"QuotaNonPagedPoolUsage": <number>,
"QuotaPagedPoolUsage": <number>,
"QuotaPeakNonPagedPoolUsage": <number>,
"QuotaPeakPagedPoolUsage": <number>,
"ReadOperationCount": <number>,
"ReadTransferCount": <number>,
"SessionId": <number>,
"Status": null,
"TerminationDate": null,
"ThreadCount": <number>,
"UserModeTime": <number>,
"VirtualSize": <number>,
"WindowsVersion": "<text>",
"WorkingSetSize": <number>,
"WriteOperationCount": <number>,
"WriteTransferCount": <number>
}
]
os.json 檔案示例
備註:
- os.json 檔案必須位於包含應用裝置作業系統特定詳細資料的同一工作目錄下。可以在 powershell 中使用
(Get-WmiObject -class Win32_OperatingSystem).Caption命令。 - 示例 JSON 中的金鑰非常重要。
--可以是特定於作業系統的任何內容。例如:對於 Windows 2016 Server,<text> 可以是 Microsoft Windows Server 2016 Standard。
{
"network_detailed": [],
"interfaces": [
"------"
],
"ipv6": [
"-:----::----:----:----:----"
],
"ipv4": [
"---.---.---.---"
],
"mac_address": {
"---": "--:--:--:--:--:--"
},
"os_info": "--------------------------------------"
socketsOutFile.txt 檔案示例
socketsOutFile.txt 檔案必須位於其中包含所有通訊端相關資訊的同一工作目錄下。可以在 powershell 中使用 (netstat -bano | Out-String) -replace '(?m)^ (TCP|UDP)', '$1' -replace '\r?\n\s+([^\[])', "`t`$1" -replace '\r?\n\s+\[', "`t["”
Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4 Can not obtain ownership information TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 736 RpcSs [svchost.exe] ...
備註:
- 若要檢視工作下的記錄,請將這些記錄儲存到同一工作目錄下的 iris-agent.log 檔案中。
- CPDA 必須使用可接受以下引數的
initpowershell 指令碼執行:-osOutFile os.json-processOutFile rawProcessInfo.json-socketsOutFile socketsOutFile.txt範例:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Temp\irisAgent\WindowsCollector.ps1 -osOutFile os.json -processOutFile rawProcessInfo.json -socketsOutFile socketsOutFile.txt
- CPDA 必須更新 rawProcessInfo.json、os.json 和 socketsOutFile.txt,以便可在自我檢查工作中進行讀取。
- 可以 .ZIP 檔案形式儲存 CPDA 檔案並新增自訂 CPDA 組態。
