diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index ab541cea..3a15f502 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -16,6 +16,7 @@ - 無効なAPIキーが指定された場合に、VirusTotalの検索でJSONパースエラーが発生する問題を修正した。(@fukusuket) - `sysmon-process-tree`コマンドでプロセス情報が2回出力されることがあるバグを修正した。(#52) (@fukusuket) - `timeline-suspicious-processes`が`ParentPGUID`フィールドを正しく出力していなかったので修正した。また、PIDの10進数変換を改善した。(#50) (@fukusuket) +- 指定された`PGUID`が無効であるか、JSONL タイムラインに存在しない場合にエラーが発生する問題を修正した。 (#53) (@fukusuket) ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/) diff --git a/CHANGELOG.md b/CHANGELOG.md index 22a50e47..bdb7e74c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ - Fixed a JSON parsing error in VirusTotal lookups when an invalid API key was specified. (@fukusuket) - Fixed a bug in `sysmon-process-tree` in which process information would sometimes be outputted twice. (#52) (@fukusuket) - `timeline-suspicious-processes` was not correctly outputting `ParentPGUID` field. Improved PID decimal conversion. (#50) (@fukusuket) +- Fixed an error when the specified `PGUID` was invalid or does not exist in the JSONL timeline. (#53) (@fukusuket) ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/) diff --git a/src/takajo.nim b/src/takajo.nim index ed4fdaf7..091708e5 100644 --- a/src/takajo.nim +++ b/src/takajo.nim @@ -2,6 +2,7 @@ import algorithm import cligen import json import puppy +import re import sets import sequtils import strformat diff --git a/src/takajopkg/sysmonProcessTree.nim b/src/takajopkg/sysmonProcessTree.nim index 602b8f9c..409f127d 100644 --- a/src/takajopkg/sysmonProcessTree.nim +++ b/src/takajopkg/sysmonProcessTree.nim @@ -62,6 +62,10 @@ proc moveProcessObjectToChild(mvSourceProcess: processObject, moveProcessObjectToChild(mvSourceProcess, child, outputProcess.children[idx]) +proc isGUID(processGuid: string): bool = + let guidRegex = re(r"^[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}$") + return processGuid.find(guidRegex) != -1 + proc sysmonProcessTree(output: string = "", processGuid: string, quiet: bool = false, timeline: string) = ## Procedure for displaying Sysmon's process tree @@ -77,6 +81,10 @@ proc sysmonProcessTree(output: string = "", processGuid: string, if not isJsonConvertible(timeline): quit(1) + if not isGUID(processGuid): + echo "The format of the Process GUID specified with the -p option is invalid. Please specify a valid Process GUID." + quit(1) + echo "" echo "Running the Process Tree module" echo "" @@ -210,9 +218,6 @@ proc sysmonProcessTree(output: string = "", processGuid: string, processGUID: eventProcessGUID, parentProcessGUID: foundProcessTable["ParentPGUID"]) let key = timeStamp & "-" & process.processID - # if addedProcess.contains(key): - # continue - if not passGuid.contains(eventProcessGUID): passGuid.incl(eventProcessGUID) if not passGuid.contains(process.parentProcessGUID): @@ -227,6 +232,12 @@ proc sysmonProcessTree(output: string = "", processGuid: string, parentProcessGUIDTable[process.parentProcessGUID] = process.processGUID parents_exist = true parents_key = process.processGUID + + if processGuid notin stockedProcessObjectTable: + echo "The process was not found." + echo "" + return + var outputStrSeq: seq[string] = @[] var outputProcessObjectTable = stockedProcessObjectTable @@ -247,8 +258,8 @@ proc sysmonProcessTree(output: string = "", processGuid: string, # Display process tree for the specified process root - let root_multi_child = outputProcessObjectTable[parents_key].children.len() > 1 if parents_key != "": + let root_multi_child = outputProcessObjectTable[parents_key].children.len() > 1 outputStrSeq = concat(outputStrSeq, printIndentedProcessTree( outputProcessObjectTable[parents_key], need_sameStair = @[ root_multi_child], parentsStair = false @@ -256,7 +267,7 @@ proc sysmonProcessTree(output: string = "", processGuid: string, elif outputProcessObjectTable.hasKey(processGuid): outputStrSeq = concat(outputStrSeq, printIndentedProcessTree( outputProcessObjectTable[processGuid], need_sameStair = @[ - root_multi_child], parentsStair = false)) + false], parentsStair = false)) if output != "": let f = open(output, fmWrite)