search

Velocidex / go-ese

Go implementation of an Extensible Storage Engine parser
Apache License 2.0
26 stars 12 forks source link

Error Parsing UAL ESE Database #10

Closed 13Cubed closed 2 years ago

13Cubed commented 3 years ago

I am trying to incorporate this library as part of a larger GoLang utility that will parse the User Access Logging (UAL) databases from a Windows Server machine. Current.mdb, one of the core UAL databases, will open and mostly parse with the exception of the first two columns: RoleGuid and TenantId. The errors generated are: "Can not handle column X fixed data."

It appears it is attempting to parse the column incorrectly within Catalog.go (https://github.com/Velocidex/go-ese/blob/master/parser/catalog.go).

Is there some way to work around this? I can provide a sample database if it helps.

scudette commented 3 years ago

Please provide a sample database. It's possible that we don't correctly decode that call type.

scudette commented 3 years ago

I can see some samples here https://github.com/brimorlabs/KStrike

It looks like the columns are of type GUID which we might not parse yet

$ ./eseparser catalog KStrike/Sample_UAL/HyperV-PC/Current.mdb
...
[CLIENTS] (FDP 0x21):
   Columns
      0    RoleGuid                      GUID
      1    TenantId                      GUID
      2    TotalAccesses                 Unsigned long
      3    InsertDate                    DateTime
      4    LastAccess                    DateTime
13Cubed commented 3 years ago

Correct, you beat me to it. :)

Would this be functionality that is easy to add? Or alternatively, if we add the functionality is there a way to do a pull request to incorporate it in this project?

Richard

On Wed, Oct 13, 2021 at 20:09 Mike Cohen @.***> wrote:

I can see some samples here https://github.com/brimorlabs/KStrike

It looks like the columns are of type GUID which we might not parse yet

$ ./eseparser catalog KStrike/Sample_UAL/HyperV-PC/Current.mdb ... [CLIENTS] (FDP 0x21): Columns 0 RoleGuid GUID 1 TenantId GUID 2 TotalAccesses Unsigned long 3 InsertDate DateTime 4 LastAccess DateTime

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/go-ese/issues/10#issuecomment-942811698, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADLOABE4ILKN6YLTUA7NRJDUGYNSRANCNFSM5F55TG3A .

scudette commented 3 years ago

Yep almost there

13Cubed commented 3 years ago

I appreciate the quick response. Let me know if there is anything I can do to assist or test.

scudette commented 3 years ago

Thank you for raising this issue - I have submitted this https://github.com/Velocidex/velociraptor/issues/1102 so testing would be nice :-).

Otherwise you can just see the raw data using something like

eseparser dump Current.mdb CLIENTS

As done by the test https://github.com/Velocidex/go-ese/blob/14a5c1831296542bd513ea85b9ec0dc46e323680/parser_test.go#L33

13Cubed commented 3 years ago

Wonderful, thank you! I will perform testing tomorrow morning and get back with you shortly.

Richard

On Thu, Oct 14, 2021 at 20:04 Mike Cohen @.***> wrote:

Thank you for raising this issue - I have submitted this Velocidex/velociraptor#1102 https://github.com/Velocidex/velociraptor/issues/1102 so testing would be nice :-).

Otherwise you can just see the raw data using something like

eseparser dump Current.mdb CLIENTS

As done by the test

https://github.com/Velocidex/go-ese/blob/14a5c1831296542bd513ea85b9ec0dc46e323680/parser_test.go#L33

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/go-ese/issues/10#issuecomment-943852482, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADLOABAEHAFU5RNOZYASYIDUG5V2JANCNFSM5F55TG3A .

13Cubed commented 3 years ago

Actually I had some time this evening and just tested with all of my sample data. No issues and everything worked!

I really appreciate you adding this functionality.

Richard

On Thu, Oct 14, 2021 at 20:06 Richard Davis @.***> wrote:

Wonderful, thank you! I will perform testing tomorrow morning and get back with you shortly.

Richard

On Thu, Oct 14, 2021 at 20:04 Mike Cohen @.***> wrote:

Thank you for raising this issue - I have submitted this Velocidex/velociraptor#1102 https://github.com/Velocidex/velociraptor/issues/1102 so testing would be nice :-).

Otherwise you can just see the raw data using something like

eseparser dump Current.mdb CLIENTS

As done by the test

https://github.com/Velocidex/go-ese/blob/14a5c1831296542bd513ea85b9ec0dc46e323680/parser_test.go#L33

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/go-ese/issues/10#issuecomment-943852482, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADLOABAEHAFU5RNOZYASYIDUG5V2JANCNFSM5F55TG3A .