Closed Donovoi closed 2 years ago
AndrewRathbun
commented
2 years ago @Donovoi sorry for the delay, I must've accidentally deleted the email notification for this Issue being created. Truly apologize!
I'm working on version 3 of the script right now. Hope to have it up shortly. I will hold off on addressing any of this until that's out as it may solve some of those issues you're seeing!
Donovoi
commented
2 years ago Sounds good thanks @AndrewRathbun!
AndrewRathbun
commented
2 years ago Sounds good thanks @AndrewRathbun!
https://github.com/AndrewRathbun/KAPE-EZToolsAncillaryUpdater/releases/tag/3.0
Please provide feedback when able!
Donovoi
commented
2 years ago I'm also sorry for the delay Andrew as I only just saw this one!
amazing work, the script looks well written and organised.
A few things:
When running the script I can choose .net 4 or .net 6 but not both. Is there a reason for this? Because the script calls Get-ZimmermanTools, a message is output to the console which can be a bit confusing: Use -NetVersion to control which version of the software you get (4 or 6). Default is getting both versions
Running the script the first time worked well with no errors. Running it the second time produced errors. Have a look at my Output below:
My thoughts here are we don't need to run the Move-EZToolsNET6 function if we have already got the latest tools in the correct folder. But you can just add a check in Move-EZToolsNET6 on line 348 to see if the tools are in the $kapeModulesBin\ZimmermanTools\net6\ folder.
You've definitely improved this script 10 fold. Great work with the logging too, though I would like to see errors output to those logs as well.
Happy to do a pull request for any of these and more. Just let me know :)
AndrewRathbun
commented
2 years ago @Donovoi
- When running the script I can choose .net 4 or .net 6 but not both. Is there a reason for this? Because the script calls Get-ZimmermanTools, a message is output to the console which can be a bit confusing:
Use -NetVersion to control which version of the software you get (4 or 6). Default is getting both versions
KAPE Modules are going to look for a single binary in a single path within .\KAPE\Modules\bin, for example:
Description: 'EvtxECmd: process event log files'
Category: EventLogs
Author: Eric Zimmerman
Version: 1.0
Id: 1b66f0e2-2ccf-467d-ae15-a2b3dc59df08
BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/EvtxExplorer.zip
ExportFormat: csv
Processors:
-
Executable: EvtxECmd\EvtxECmd.exe
CommandLine: -d %sourceDirectory% --csv %destinationDirectory%
ExportFormat: csv
-
Executable: EvtxECmd\EvtxECmd.exe
CommandLine: -d %sourceDirectory% --xml %destinationDirectory%
ExportFormat: xml
-
Executable: EvtxECmd\EvtxECmd.exe
CommandLine: -d %sourceDirectory% --json %destinationDirectory%
ExportFormat: jsonThat Executable: line is looking for EvtxECmd\EvtxECmd.exe within .\KAPE\Modules\bin, so that needs to be either a .NET 4 or .NET 6 version of the tool, not both. I hope that helps make sense as to why the script is operating the way it does. Let me know if you have any thoughts with that information in mind.
- Running the script the first time worked well with no errors. Running it the second time produced errors. Have a look at my Output below:
PowerShell Output My thoughts here are we don't need to run the Move-EZToolsNET6 function if we have already got the latest tools in the correct folder. But you can just add a check in Move-EZToolsNET6 on line 348 to see if the tools are in the
$kapeModulesBin\ZimmermanTools\net6\folder.
Again, the desired version of the EZ Tool binary needs to be in the position that the KAPE Module is looking for it, so we need to move the .NET 6 versions of the tools into the appropriate place for KAPE to pick up on them with the way the Modules are written.
- Also we are downloading the maps every time. Is there a way to check that we are up to date and not download them? Maybe a checksum of a zip? It might be an issue I need to raise with whoever makes EvtxECmd.exe
I would like to think you know who makes EvtxECmd.exe :) it's the same person who makes KAPE and all the other tools that ship with KAPE! Yes, even if we don't delete the Maps in the script, you're still cloning the Maps from the respective GitHub repo and then doing a compare locally. Why do I make the script delete the existing Maps/batch files? I have solved many, many problems people have had with KAPE because they have extremely outdated Maps, Batch Files, etc, and the solution has always been to delete the folder and run a sync. Problem solved! This portion of the script has been crafted with over a year+ of experience in troubleshooting KAPE with end users.
Please advise based on the info above what you think next steps should be, if any.
Thanks,
Andrew
EricZimmerman
commented
2 years ago 3. Also we are downloading the maps every time. Is there a way to check that we are up to date and not download them? Maybe a checksum of a zip? It might be an issue I need to raise with whoever makes EvtxECmd.exe
that would be me. the maps are small enough it doesnt warrant the amount of work to checksum the zip, upload the new one, etc.
Donovoi
commented
2 years ago Awesome thank you @AndrewRathbun & @EricZimmerman I understand why those choices were made, and they make sense!
I still think we need to check if the executables are in the folder before trying to move them, to prevent the error as per:
Running the script the first time worked well with no errors. Running it the second time produced errors. Have a look at my Output below:
My thoughts here are we don't need to run the Move-EZToolsNET6 function if we have already got the latest tools in the correct folder. But you can just add a check in Move-EZToolsNET6 on line 348 to see if the tools are in the $kapeModulesBin\ZimmermanTools\net6\ folder.
And we should be logging the error to the log file you've set up.
If you agree to the two things above, I'm happy to do a pull request if it will help.
Just lastly - If I'm at a remote location doing triage on a live machine - and for some reason one version of the binaries don't work, I'd like to be able to try the other version and have it already available to me (especially if I'm in an offline environment).
This won't be an issue I guess if .NET 6 binaries are backwards compatible, or we publish all exe's as Single File Apps as per https://dotnetcoretutorials.com/2021/11/10/single-file-apps-in-net-6/
I'll post this to Eric's repo as something to consider (if he hasn't already).
EricZimmerman
commented
2 years ago no way i am building 60 Mb EXEs to download if net 6 is not installed. people can do that if they want, but thats crazy to me.
net 6 stuff is not backward compatible. you need .net 6 runtime for them to work. the net 4 stuff should work just about everywhere tho
Donovoi
commented
2 years ago Awesome that makes sense thank you Eric!
Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: Eric @.> Sent: Thursday, March 17, 2022 6:40:17 AM To: AndrewRathbun/KAPE-EZToolsAncillaryUpdater @.> Cc: Michael Moran @.>; Mention @.> Subject: Re: [AndrewRathbun/KAPE-EZToolsAncillaryUpdater] Not checking for and downloading/creating directories/files that might be referenced later (Issue #2)
no way i am building 60 Mb EXEs to download if net 6 is not installed. people can do that if they want, but thats crazy to me.
net 6 stuff is not backward compatible. you need .net 6 runtime for them to work. the net 4 stuff should work just about everywhere tho
— Reply to this email directly, view it on GitHubhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAndrewRathbun%2FKAPE-EZToolsAncillaryUpdater%2Fissues%2F2%23issuecomment-1069544614&data=04%7C01%7C%7C698fe2bae38b45a1225108da0784cd45%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637830564205100390%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7BYxIDSUC0N%2BB2DhfL252Off2jcp2n0r3ITSC0LKktc%3D&reserved=0, or unsubscribehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAF5EQS6KU3VFZ2OHO2PR6MLVAI2KDANCNFSM5OT5SWHA&data=04%7C01%7C%7C698fe2bae38b45a1225108da0784cd45%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637830564205100390%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cYyF01wXNPtciqHYg%2BQrOE%2Fjqos0HwbwXOEPqsSViII%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>
AndrewRathbun
commented
2 years ago Any error handling you want to add, I ask you simply use the Log function that's already being used script-wide to keep things consistent.
In regards to checking for if the executables are there before we move them, if you wanna do a PR with Test-Path and all that other fun stuff, by all means! When merged, I will resign and republish.
Donovoi
commented
2 years ago Awesome thanks Andrew! I'll get that done
Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: Andrew Rathbun @.> Sent: Thursday, March 17, 2022 7:02:21 AM To: AndrewRathbun/KAPE-EZToolsAncillaryUpdater @.> Cc: Michael Moran @.>; Mention @.> Subject: Re: [AndrewRathbun/KAPE-EZToolsAncillaryUpdater] Not checking for and downloading/creating directories/files that might be referenced later (Issue #2)
Any error handling you want to add, I ask you simply use the Log function that's already being used script-wide to keep things consistent.
In regards to checking for if the executables are there before we move them, if you wanna do a PR with Test-Path and all that other fun stuff, by all means! When merged, I will resign and republish.
— Reply to this email directly, view it on GitHubhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAndrewRathbun%2FKAPE-EZToolsAncillaryUpdater%2Fissues%2F2%23issuecomment-1069562450&data=04%7C01%7C%7C9f0ed2ce5c78443b706308da0787e1f8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637830577437292565%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FavdGZ4FKcZOwLuCeBI5HuYTnvSHlMPhtgcn8jsK2wY%3D&reserved=0, or unsubscribehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAF5EQS24F5GN3VZEPWCAEATVAI443ANCNFSM5OT5SWHA&data=04%7C01%7C%7C9f0ed2ce5c78443b706308da0787e1f8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637830577437292565%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wwRkJnd0X8VYNrIHMyFV3U1YqBn1Hx31upHjBNgkSJk%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>
Hi Andrew,
Love your work, keep it up!
At the moment I'm having an issue with the script, I'm using for the first time and getting the below errors:
Which also are related to the errors below:
A few things I noticed:
&in front of the Cmdlet. I don't believe you need this. Is there a reason for that? It's pretty similar to sayingInvoke-Expression "Copy-Item -Path $PSScriptRoot\ZimmermanTools\EvtxExplorer -Destination $binPath\EvtxECmd -Recurse -Force"but Copy-Item will work fine on its own.P.S I'm neither programmer nor expert, but if there is something I think I can improve I will let you know.