Created
April 20, 2019 09:42
-
-
Save pe3zx/7b6cc28ccb5ea3afadb8b40294ad7e92 to your computer and use it in GitHub Desktop.
Unpacking sudoers_timestamp struct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import binascii | |
| import struct | |
| from ctypes import Union, Structure, c_int, c_long, c_ushort, c_uint, c_short | |
| from collections import namedtuple | |
| from pprint import pprint | |
| # struct timestamp_entry { | |
| # unsigned short version; /* version number */ | |
| # unsigned short size; /* entry size */ | |
| # unsigned short type; /* TS_GLOBAL, TS_TTY, TS_PPID */ | |
| # unsigned short flags; /* TS_DISABLED, TS_ANYUID */ | |
| # uid_t auth_uid; /* uid to authenticate as */ | |
| # pid_t sid; /* session ID associated with tty/ppid */ | |
| # struct timespec start_time; /* session/ppid start time */ | |
| # struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */ | |
| # union { | |
| # dev_t ttydev; /* tty device number */ | |
| # pid_t ppid; /* parent pid */ | |
| # } u; | |
| # }; | |
| if sys.argv[1]: | |
| sudoers_timestamp = namedtuple( | |
| "sudoers_timestamp", | |
| "version size type flags auth_uid sid start_time_sec start_time_nsec ts_sec ts_nsec ttydev ppid" | |
| ) | |
| with open(sys.argv[1], 'rb') as f: | |
| for data in iter(lambda: f.read(40), b''): | |
| unpacked = sudoers_timestamp._make(struct.unpack("=HHHHIiililii", data)) | |
| pprint(unpacked._asdict()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment