search

cisagov / CHIRP

A DFIR tool written in Python.
Creative Commons Zero v1.0 Universal
1.04k stars 90 forks source link

Files not found after scans #10

Closed DASCert closed 3 years ago

DASCert commented 3 years ago

🐛 Summary

Program scans files then appears to hang (already addressed in issue #8). After pressing one or more keys, "Traceback" is produced with multiple "[Errno 2] No such file or directory" and references to %temp%\onefile_dddd_ddd ...ddd

To reproduce

Program was run on virtual Server 2012 User logged in using RDP Powershell run as admin cd to Location of downloaded files: C:\Support\Chirp

Expected behavior

Expected program to end normally and produce report

Any helpful log output or screenshots

Output hard to read with current colours so ..

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp.py:14 in

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:19 in run

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:29 in run_plugins

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py:642 in run_until_complete

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py:43 in _run_coroutines

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\run.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py:128 in run

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py:145 in results_generator

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py'

C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py:308 in results

[Errno 2] No such file or directory: 'C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py'

ProxyException: Traceback (most recent call last): File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\aiomultiprocess\pool.py", line 110, in run File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\scan.py", line 73, in _run File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\events.py", line 98, in gather File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\events.py", line 67, in process_files File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\chirp\plugins\events\evtx2json.py", line 160, in iter_evtx2xml File "C:\Users\DASTAF~1\AppData\Local\Temp\ONEFIL~2\Evtx\Evtx.py", line 66, in enter FileNotFoundError: [Errno 2] No such file or directory: 'C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx'

image

Add any screenshots of the problem here.

DASCert commented 3 years ago

I should also point out that the Powershell window has frozen at this stage with 7 chirp processes left running.

image

The first one in the list (5148) is the one I ran. Command line "C:\support\chirp\chirp.exe"

It spawned 5188 command line "C:\support\chirp\chirp.exe" path %temp%\onefile_5148_132605975606473567\chirp.exe (5188)

That one (5188) spawned

  1. PID 1908 command line "C:\support\chirp\chirp.exe" "--multiprocessing-fork" "parent_pid=5188" "pipe_handle=596" path= %temp%\onefile_5148_132605975606473567\chirp.exe (1908)

  2. PID 5372 command line "C:\support\chirp\chirp.exe" "--multiprocessing-fork" "parent_pid=5188" "pipe_handle=1312" path= C:\Users\dastafford\AppData\Local\Temp\onefile_5148_132605975606473567\chirp.exe

  3. PID 336 command line "C:\support\chirp\chirp.exe" "--multiprocessing-fork" "parent_pid=5188" "pipe_handle=1072" path= C:\Users\dastafford\AppData\Local\Temp\onefile_5148_132605975606473567\chirp.exe

  4. PID 3412 command line "C:\support\chirp\chirp.exe" "--multiprocessing-fork" "parent_pid=5188" "pipe_handle=1124" path=C:\Users\dastafford\AppData\Local\Temp\onefile_5148_132605975606473567\chirp.exe

  5. PID 4208 command line = "C:\support\chirp\chirp.exe" "--multiprocessing-fork" "parent_pid=5188" "pipe_handle=1224" path= C:\Users\dastafford\AppData\Local\Temp\onefile_5148_132605975606473567\chirp.exe . All processes continue to consume CPU, create and destroy threads. CTRL+C / CTRL+Break has no effect

DeemOnSecurity commented 3 years ago

What version of Chirp is this? This error should have been resolved with v1.0.1(#9)

DASCert commented 3 years ago

Wasn't sure. Re-downloaded Chirp and ran the program. No "file not found" messages - good news.

Program still frozen at the end. Accepted a few space chars and a couple of EOL but after that, no amount of key pressing seems to have any effect.

image

Only 3 chirp processes running. image

4752: Path: C:\Support\Chirp1.0.1\chirp.exe Command Line: "C:\Support\Chirp1.0.1\chirp.exe" 4732: Path: %temp%\onefile_4752_132607024209899859\chirp.exe Command Line: "C:\Support\Chirp1.0.1\chirp.exe" 4748: Path: %temp%\onefile_4752_132607024209899859\chirp.exe Command Line: "C:\Support\Chirp1.0.1\chirp.exe" "--multiprocessing-fork" "parent_pid=4732" "pipe_handle=556"

DeemOnSecurity commented 3 years ago

Awesome, perfect! That final frozen error was fixed with v1.0.2! So the issue with this machine should be resolved if you use that version. If you do not want to run again, the output should have been generated in the specified folder.