search

fox-it / flow.record

Recordization library
GNU Affero General Public License v3.0
7 stars 9 forks source link

Rdump errors in parsing output of target-query in PowerShell #68

Closed l3fdb33f closed 1 year ago

l3fdb33f commented 1 year ago

I installed Dissect via pip install on a fresh python 3.11 install. Having issues piping anything from target-query to rdump in PowerShell. It always errors with the result ERROR RecordReader('-'): Unknown file format, not a RecordStream errors

I switched over to cmd.exe to try things out there and was able to pipe it to rdump, but couldn't use the --selector argument as described in the docs; rather than target-query.exe -f prefetch .\WinXP2.E01 | rdump.exe -s '"rpcall" in filename.lower()' I had to use target-query.exe -f prefetch .\WinXP2.E01 | rdump.exe -s "'rpcall' in filename.lower()" for it to parse correctly.

After that I still got an error based on the name filename not existing, even though I see it in the flow records: WARNING Exception in <flow.record.adapter.stream.StreamReader object at 0x0000021C9F7FFD90> for '-': NameError("name 'filename' is not defined") -- skipping to next reader errors3

This is where I seem to be stuck at this point; wondering if you all are seeing these issues on Windows or know what the workarounds are. Thanks!

pyrco commented 1 year ago

Hi @l3fdb33f, thanks for the issue report! I'll try to answer the issues in order.

First the pipe issue with PowerShell. When using target-query to output records, it can behave in 2 ways:

  1. when outputting to the terminal, it will output a string representation of the record,
  2. when outputting to a pipe, it will output the actual record in binary format.

Unfortunately Powershell does not support putting binary data in a pipe. It will try to interpret it as text, which of course will fail. I searched a bit and it seems there are some workarounds / Powershell scriptlets that can sort of enable the behavior you're looking for, but these are all quite involved (not a simple change your commandline to xyz to make it work).

Second the quoting issue. In Windows/cmd.exe the program itself and not the shell is responsible for parsing its command line and split it out in the separate parameters. This in contrast to Unix/Linux where the shell will parse the command line for you. It means that every program can/will deal with quoting etc. in its own way, this will depend on the compiler used to create it. Thus to get an idea why the " ' ' " does and the ' " " ' does not work we would need to know what tool you used to create rdump.exe and what the error message was that you got.

Finally the selector issue. Selectors are basically small Python scriptlets that get (sort of) eval()uated by rdump. The record in the selector is stored in the variable r, which you have to reference explicitly. So changing your command line to:

target-query.exe -f prefetch .\WinXP2.E01 | rdump.exe -s "'rpcall' in r.filename.lower()"

should work (note the added r. in front of filename.lower()).

l3fdb33f commented 1 year ago

Thank you @pyrco, that's very helpful!