Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shim Cache Analysis Errors - input is out of range #176

Closed
pdutton-vc opened this issue Aug 9, 2024 · 2 comments
Closed

Shim Cache Analysis Errors - input is out of range #176

pdutton-vc opened this issue Aug 9, 2024 · 2 comments
Assignees
Labels
bug Something isn't working

Comments

@pdutton-vc
Copy link

Shim cache analysis of data from a subset of Windows 11 boxes fails with an "input is out of range" error. These boxes have been running a while, and have a few programs installed on them, but I was unable to narrow it down to a specific install. I have not seen this on other Windows flavors, but that may just be me.

The same error is seen when chainsaw is run from on the machine being analyzed, or when from a linux box. The same behavior is seen with or without --tspair. The tests were performed using the sample patterns from https://github.com/WithSecureLabs/chainsaw/blob/master/analysis/shimcache_patterns.txt. The tests were with latest 2.9.2 builds.


Example Run:

./chainsaw --version
chainsaw 2.9.2

./chainsaw analyse shimcache -r shimcache_patterns.txt -a ./amcache.hve ./system.hve

██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗
██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║
██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝
╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝
By WithSecure Countercept (@FranticTyping, @alexkornitzer)

[+] Regex file with 15 pattern(s) loaded from "/home/pdutton/chainsaw/shimcache_patterns.txt"
[+] Windows 10 Creators shimcache hive file loaded from "/home/pdutton/chainsaw/system.hve"
[+] Amcache hive file loaded from "/home/pdutton/chainsaw/amcache.hve"
[x] input is out of range

Attaching zipped up amcache and system hives:
hives.zip

@alexkornitzer
Copy link
Collaborator

Ta for this, i'll try to replicate with the above and get it sorted this week.

@alexkornitzer alexkornitzer self-assigned this Aug 19, 2024
@alexkornitzer alexkornitzer added the bug Something isn't working label Aug 19, 2024
@alexkornitzer
Copy link
Collaborator

I linked the wrong issue but this is now fixed by c4d9450 which will be covered in v2.9.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants