davidpany / wmi_forensics Goto Github PK

Hey David, This is an awesome tool. However, I just did a POC test with a WMI persistence on a VM and your script did not pick up the persistence. I could view it live using WMI explorer. Any idea what could have caused that.

Using the tool I got the following error:
$ python CCM_RUA_Finder.py -i OBJECTS.DATA "Format" "FolderPath" "ExplorerFileName" "FileSize" "LastUserName" "LastUsedTime" "TimeZoneOffset" "LaunchCount" "Timestamp1" "Timestamp2" "OriginalFileName" "FileDescription" "CompanyName" "ProductName" "ProductVersion" "FileVersion" "AdditionalProductCodes""msiVersion" "msiDisplayName" "SoftwarePropertiesHash" "ProductCode" "ProductLanguage" "msiPublisher" "FilePropertiesHash" Carved_NullDelim "C:\Windows\system32\" "DllHost.exe" " " "GROUPE\lol" "2017-01-23 12:48:05" ="+000" " " " " " " "dllhost.exe" "COM Surrogate" "Microsoft Corporation" "Microsoft� Windows� Operating System" "6.1.7600.16385" "6.1.7600.16385 (win7_rtm.090713-1255)" "" "" "" "" " " "" "" "" Traceback (most recent call last): File "CCM_RUA_Finder.py", line 506, in <module> main() File "CCM_RUA_Finder.py", line 290, in main parse_null_delimited_record(ccm_nulldel_full_match, True, output_file) File "CCM_RUA_Finder.py", line 359, in parse_null_delimited_record file_size = struct.unpack("L", header_data_match.groups()[4])[0] struct.error: unpack requires a string argument of length 8

If you need it I can provide a sample of the file I used it on.

First, I wanted to thank you for sharing your code!

When you have a moment, I was hoping you could look into why the parser is throwing the following exception during the unpack:
File "CCM_RUA_Finder.py", line 361, in parse_null_delimited_record
file_size = struct.unpack("L", header_data_match.groups()[4])[0]
struct.error: unpack requires a string argument of length 8

I have tried two different OBJECTS.DATA files and both give the same results.

When I put in a exception (catch -> ignore) for the parse_null_delimited_record function, I only get minimal records parsed (40+) with several hundred ignored.

I run the following command and receive the following error:

python3 CCM_RUA_Finder.py -i OBJECTS.DATA -o OBJECTS.DATA.xls
                0.0% complete...Traceback (most recent call last):
  File "/Users/Ben/Desktop/elrond_dev/WMI_Forensics/CCM_RUA_Finder.py", line 554, in <module>
    main()
  File "/Users/Ben/Desktop/elrond_dev/WMI_Forensics/CCM_RUA_Finder.py", line 241, in main
    all_ccm_data_set = find_ccm_rua_data(args.input)
  File "/Users/Ben/Desktop/elrond_dev/WMI_Forensics/CCM_RUA_Finder.py", line 191, in find_ccm_rua_data
    if "CCM_RecentlyUsedApps" in current_buffer:
TypeError: a bytes-like object is required, not 'str'

Hey David, This is an awesome tool. However, I just did a POC test with a WMI persistence on a VM and your script did not pick up the persistence. I could view it live using WMI explorer. Any idea what could have caused that.