mandiant / flare-wmi

Apache License 2.0
416 stars 108 forks source link

[Question] Support for other versions other than xp/win7 ? #3

Closed priyankn closed 8 years ago

priyankn commented 9 years ago

So we were trying to parse a Win 2012 CIM db and consistently get a MissingIndexFileError when passing win7 as an argument with the 2012 db. Just wanted to make sure that this is expected if we try to parse a CIM belonging to a different version.

Thanks!

cteo13 commented 9 years ago

Hello,

Do you have the index.btr and mapingX.map in the same folder as objects.data? You need to get the whole WBEM folder in order to parse the WMI repo.

Thanks, Claudiu.

On Friday, October 16, 2015, Priyank Nigam notifications@github.com wrote:

So we were trying to parse a Win 2012 CIM db and consistently get a MissingIndexFileError when passing win7 as an argument with the 2012 db. Just wanted to make sure that this is expected if we try to parse a CIM belonging to a different version.

Thanks!

— Reply to this email directly or view it on GitHub https://github.com/fireeye/flare-wmi/issues/3.

priyankn commented 9 years ago

Hey,

Yes, I have Index.btr, Objects.data and Mapping1.map, Mapping2.map and Mapping3.map in a directory, which is supplied as an argument. I guess this is what constitutes the whole WBEM folder. Correct me if my understanding is incorrect.

Thanks!

cteo13 commented 9 years ago

Yes. That's correct. The command line: WMIParser.exe -p "Path_of_the_folder_where_objects.data_is"

I will try to replicate the issue. Is it Win 2012 or Win 2012 R2? Can you share your DB?

Thanks, Claudiu

priyankn commented 9 years ago

Well, I wasn't using WMIParser.exe (Was the compiled binary included?) I used this - python ui.py <xp|win7> /path/to/CIM/directory The Gui fired up, but the data could not be read. (something wrong here?)

I am not sure about R1 or R2. let me get back to you on that in a while.

BannersSecret commented 8 years ago

Hi,

Resurrecting an old thread.....is there going to be support for Windows Server 2008? I've used ui.py (with the Win7 option) to view a repo, but I'm not getting anything in the right-hand pane, so don't think it's parsing properly.

Thanks

williballenthin commented 8 years ago

Hey @BannersSecret,

I developed the python library on a Windows 10 system, so I'd expect the library to also support Server 2008. Haven't tested this, though.

Do you have a repo that you can share with us, to help triage?

BannersSecret commented 8 years ago

Hi Willi,

Thanks a lot for coming back to me. Apologies, but unfortunately the repo is from a client's machine, so I'm unable to share. However if there's anything I can do to provide you further info, please let me know.

Thanks.

On 30 Jul 2016, at 01:01, Willi Ballenthin notifications@github.com wrote:

Hey @BannersSecret,

I developed the python library on a Windows 10 system, so I'd expect the library to also support Server 2008. Haven't tested this, though.

Do you have a repo that you can share with us, to help triage?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

williballenthin commented 8 years ago

would you mind trying the list.py script and seeing if there is any output? this will help triage if the issue is within ui.py or the underlying cim parsing code. try using both the xp and win7 profiles.

BannersSecret commented 8 years ago

Hi Willi,

Sorry for the delay in responding.

I ran list.py and it worked fine. I did some further digging and it turns out I was looking at the wrong data. On a previous engagement, using up.py I'd found the smoking gun in a certain location and was expecting to see it there again. My mistake.

Apologies for the confusion. The tool is working perfectly.

Thanks again,

A

Sent from my iPad

On 30 Jul 2016, at 18:15, Willi Ballenthin notifications@github.com wrote:

would you mind trying the list.py script and seeing if there is any output? this will help triage if the issue is within ui.py or the underlying cim parsing code. try using both the xp and win7 profiles.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

williballenthin commented 8 years ago

@BannersSecret

I'm very excited to hear that you've had success inspecting the WMI repo using these tools. Its recently been radio silent in the WMI forensics world, but I had a feeling there were some quiet analysts doing a good and thorough job :-)

Let me know if there's anything I can help out with in the future.