From da9b83c16dab66f530057ef489181ea34db4318e Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Tue, 10 Oct 2023 21:29:21 +0900 Subject: [PATCH 1/3] fix: not output an exception when a PGUID that does not exist in JSONL is specified --- src/takajo.nim | 1 + src/takajopkg/sysmonProcessTree.nim | 21 ++++++++++++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/src/takajo.nim b/src/takajo.nim index ed4fdaf7..091708e5 100644 --- a/src/takajo.nim +++ b/src/takajo.nim @@ -2,6 +2,7 @@ import algorithm import cligen import json import puppy +import re import sets import sequtils import strformat diff --git a/src/takajopkg/sysmonProcessTree.nim b/src/takajopkg/sysmonProcessTree.nim index 602b8f9c..409f127d 100644 --- a/src/takajopkg/sysmonProcessTree.nim +++ b/src/takajopkg/sysmonProcessTree.nim @@ -62,6 +62,10 @@ proc moveProcessObjectToChild(mvSourceProcess: processObject, moveProcessObjectToChild(mvSourceProcess, child, outputProcess.children[idx]) +proc isGUID(processGuid: string): bool = + let guidRegex = re(r"^[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}$") + return processGuid.find(guidRegex) != -1 + proc sysmonProcessTree(output: string = "", processGuid: string, quiet: bool = false, timeline: string) = ## Procedure for displaying Sysmon's process tree @@ -77,6 +81,10 @@ proc sysmonProcessTree(output: string = "", processGuid: string, if not isJsonConvertible(timeline): quit(1) + if not isGUID(processGuid): + echo "The format of the Process GUID specified with the -p option is invalid. Please specify a valid Process GUID." + quit(1) + echo "" echo "Running the Process Tree module" echo "" @@ -210,9 +218,6 @@ proc sysmonProcessTree(output: string = "", processGuid: string, processGUID: eventProcessGUID, parentProcessGUID: foundProcessTable["ParentPGUID"]) let key = timeStamp & "-" & process.processID - # if addedProcess.contains(key): - # continue - if not passGuid.contains(eventProcessGUID): passGuid.incl(eventProcessGUID) if not passGuid.contains(process.parentProcessGUID): @@ -227,6 +232,12 @@ proc sysmonProcessTree(output: string = "", processGuid: string, parentProcessGUIDTable[process.parentProcessGUID] = process.processGUID parents_exist = true parents_key = process.processGUID + + if processGuid notin stockedProcessObjectTable: + echo "The process was not found." + echo "" + return + var outputStrSeq: seq[string] = @[] var outputProcessObjectTable = stockedProcessObjectTable @@ -247,8 +258,8 @@ proc sysmonProcessTree(output: string = "", processGuid: string, # Display process tree for the specified process root - let root_multi_child = outputProcessObjectTable[parents_key].children.len() > 1 if parents_key != "": + let root_multi_child = outputProcessObjectTable[parents_key].children.len() > 1 outputStrSeq = concat(outputStrSeq, printIndentedProcessTree( outputProcessObjectTable[parents_key], need_sameStair = @[ root_multi_child], parentsStair = false @@ -256,7 +267,7 @@ proc sysmonProcessTree(output: string = "", processGuid: string, elif outputProcessObjectTable.hasKey(processGuid): outputStrSeq = concat(outputStrSeq, printIndentedProcessTree( outputProcessObjectTable[processGuid], need_sameStair = @[ - root_multi_child], parentsStair = false)) + false], parentsStair = false)) if output != "": let f = open(output, fmWrite) From 98c8c842483f9f2b20b05b4db99bf0d39c455c2a Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 11 Oct 2023 08:42:11 +0900 Subject: [PATCH 2/3] update changelog --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index ab541cea..3a15f502 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -16,6 +16,7 @@ - 無効なAPIキーが指定された場合に、VirusTotalの検索でJSONパースエラーが発生する問題を修正した。(@fukusuket) - `sysmon-process-tree`コマンドでプロセス情報が2回出力されることがあるバグを修正した。(#52) (@fukusuket) - `timeline-suspicious-processes`が`ParentPGUID`フィールドを正しく出力していなかったので修正した。また、PIDの10進数変換を改善した。(#50) (@fukusuket) +- 指定された`PGUID`が無効であるか、JSONL タイムラインに存在しない場合にエラーが発生する問題を修正した。 (#53) (@fukusuket) ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/) diff --git a/CHANGELOG.md b/CHANGELOG.md index 22a50e47..49fc20af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ - Fixed a JSON parsing error in VirusTotal lookups when an invalid API key was specified. (@fukusuket) - Fixed a bug in `sysmon-process-tree` in which process information would sometimes be outputted twice. (#52) (@fukusuket) - `timeline-suspicious-processes` was not correctly outputting `ParentPGUID` field. Improved PID decimal conversion. (#50) (@fukusuket) +- Fixed an error when the the specified `PGUID` was invalid or does not exist in the JSONL timeline. (#53) (@fukusuket) ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/) From c4c07d29b5a60646de63d87509f93054a201f865 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 11 Oct 2023 08:59:17 +0900 Subject: [PATCH 3/3] fix typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49fc20af..bdb7e74c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,7 @@ - Fixed a JSON parsing error in VirusTotal lookups when an invalid API key was specified. (@fukusuket) - Fixed a bug in `sysmon-process-tree` in which process information would sometimes be outputted twice. (#52) (@fukusuket) - `timeline-suspicious-processes` was not correctly outputting `ParentPGUID` field. Improved PID decimal conversion. (#50) (@fukusuket) -- Fixed an error when the the specified `PGUID` was invalid or does not exist in the JSONL timeline. (#53) (@fukusuket) +- Fixed an error when the specified `PGUID` was invalid or does not exist in the JSONL timeline. (#53) (@fukusuket) ## 2.0.0 [2022/08/03] - [SANS DFIR Summit 2023 Release](https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/)