0

Can someone provide an example of how to loop through this object in python and pull out 'value' where api = 'interesting' and arguments.name = 'FileName'?

Here is what I have so far.
This object has many more processes and calls....output has been omitted.

edit: I should mention that I am getting the following error when running this code: "TypeError: list indices must be integers, not str" 

for k, v in object['behavior']['processes']['calls'].items():
            if v['api'] == "interesting":
                           <loop through arguments next>

Object:

{"behavior": {
    "processes": [
        {
        "parent_id": "312", 
        "process_name": "test.exe", 
        "process_id": "1184", 
        "first_seen": "2013-03-02 17:22:48,359", 
        "calls": [
            {
            "category": "filesystem", 
            "status": "FAILURE", 
            "return": "0xc000003a", 
            "timestamp": "2013-03-02 17:22:48,519", 
            "thread_id": "364", 
            "repeated": 0, 
            "api": "interesting", 
            "arguments": [
                {
                "name": "FileHandle", 
                "value": "0x00000000"
                }, 
                {
                "name": "DesiredAccess", 
                "value": "0x80100080"
                }, 
                {
                "name": "FileName", 
                "value": "c:\\cgvi5r6i\\vgdgfd.72g"
                }, ...
Improve this question
1
  • 1
    What's wrong with carrying on with what you've started? Commented Mar 11, 2013 at 3:00

3 Answers 3

Reset to default
1

What you've given as a starter in the question won't work because you are not iterating through the elements of the lists that are the values to the keys "processes" and "calls" respectively. That is, you will need something more like

for proc in object ['processes']:
    for call in proc ['calls']:
        if call ['api'] == "interesting":
            fname = None
            for arg in call ['arguments']:
                if arg ['name'] == "FileName":
                    fname = arg ['value']

Then the file name you're looking for will be in fname. This has no error checking, since I don't know where your data has come from.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Everyone who has provided input has been correct but in the end I wound up using this code. Thank you all very much.
1

What you're doing seems OK, but

  1. Your indexes are off (look carefully there are lists
  2. Your check seems to be invalid (v is a string, so v['api'] is invalid).

So, try doing this instead, (I've taken your object as i)

for k, v in i['behavior']['processes'][0]['calls'][0].items():
    if k == 'api' and v == "interesting":
        print k,v

OR

for dct in i['behavior']['processes'][0]['calls']:
    if dct['api'] == "interesting":
        print 'api',dct['api']

OR

for dct in i['behavior']['processes'][0]['calls']:
    for k,v in dct.items():
        if k == 'api' and  v =="interesting":
            print 'api',dct['api']

OR if the there are multiple parts to each list,

for proc in i['behavior']['processes']:
    for call in proc['calls']:
        print 'api =>',call['api'] # a if here
        for args in call['arguments']:
            print '   argument.name =>',args['name'] # and another if here should do the trick.

Why you get the error
Try the following piece of code, and you'll understand what you were doing wrong

print type(i['behavior']['processes'])
print type(i['behavior']['processes'][0])
print type(i['behavior']['processes'][0]['calls'])
print type(i['behavior']['processes'][0]['calls'][0])
Improve this answer

Comments

0 
object['behavior']['processes']['calls']

is a list, not dict.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.