alexkornitzer
commented
1 month ago Ta for this, i'll try to replicate with the above and get it sorted this week.
Closed pdutton-vc closed 1 month ago
alexkornitzer
commented
1 month ago Ta for this, i'll try to replicate with the above and get it sorted this week.
alexkornitzer
commented
1 month ago I linked the wrong issue but this is now fixed by c4d945083137531d71b529f41d49278e910a4923 which will be covered in v2.9.3
Shim cache analysis of data from a subset of Windows 11 boxes fails with an "input is out of range" error. These boxes have been running a while, and have a few programs installed on them, but I was unable to narrow it down to a specific install. I have not seen this on other Windows flavors, but that may just be me.
The same error is seen when chainsaw is run from on the machine being analyzed, or when from a linux box. The same behavior is seen with or without --tspair. The tests were performed using the sample patterns from https://github.com/WithSecureLabs/chainsaw/blob/master/analysis/shimcache_patterns.txt. The tests were with latest 2.9.2 builds.
Example Run:
./chainsaw --version chainsaw 2.9.2
./chainsaw analyse shimcache -r shimcache_patterns.txt -a ./amcache.hve ./system.hve
██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗ ██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║ ██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║ ██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║ ╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ By WithSecure Countercept (@FranticTyping, @AlexKornitzer)
[+] Regex file with 15 pattern(s) loaded from "/home/pdutton/chainsaw/shimcache_patterns.txt" [+] Windows 10 Creators shimcache hive file loaded from "/home/pdutton/chainsaw/system.hve" [+] Amcache hive file loaded from "/home/pdutton/chainsaw/amcache.hve" [x] input is out of range
Attaching zipped up amcache and system hives:
hives.zip