Fixed amcache artifacts.

Support "Files" type cache.
Velocidex · Apr 3, 2019 · 32687cc · 32687cc
1 parent 8eb4320
commit 32687cc
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 6 deletions.
diff --git a/artifacts/definitions/detection/psexec_service.yaml b/artifacts/definitions/detection/psexec_service.yaml
@@ -24,9 +24,7 @@ sources:
   - queries:
       - LET file_scan = SELECT File, Rule, Strings, now() AS Timestamp,
                Name, ServiceType
-        FROM yara(rules=yaraRule,
-                  accessor="ntfs",
-                  files=PathName)
+        FROM yara(rules=yaraRule, files=PathName)
         WHERE Rule
 
       - LET service_creation = SELECT Parse.TargetInstance.Name AS Name,

diff --git a/artifacts/definitions/windows/amcache.yaml b/artifacts/definitions/windows/amcache.yaml
@@ -19,9 +19,11 @@ parameters:
   - name: amCacheRegPath
     default: /Root/InventoryApplicationFile/*
 
+precondition: |
+  SELECT OS From info() where OS = 'windows'
+
 sources:
-  - precondition:
-      SELECT OS From info() where OS = 'windows'
+  - name: Windows.System.Amcache.InventoryApplicationFile
     queries:
       - |
         SELECT FileId,
@@ -39,7 +41,26 @@ sources:
             SELECT FullPath from glob(globs=expand(path=amCacheGlob))
           }, query={
             SELECT * from read_reg_key(
-               globs=url(scheme='ntfs', path=FullPath, fragment=amCacheRegPath).String,
+               globs=url(scheme='ntfs', path=FullPath,
+                         fragment=amCacheRegPath).String,
+               accessor='raw_reg'
+            )
+        })
+
+  - name: Windows.System.Amcache.File
+    queries:
+      - |
+        SELECT * FROM foreach(
+          row={
+            SELECT FullPath from glob(globs=expand(path=amCacheGlob))
+          }, query={
+            SELECT get(item=scope(), member="100") As ProductId,
+                   get(item=scope(), member="101") As SHA1,
+                   get(item=scope(), member="15") As FullPath,
+                   timestamp(epoch=Key.Mtime.Sec) as LastModifiedKey
+            FROM read_reg_key(
+               globs=url(scheme='ntfs', path=FullPath,
+                         fragment='/Root/File/*/*').String,
                accessor='raw_reg'
             )
         })
diff --git a/vql/functions/functions.go b/vql/functions/functions.go
@@ -189,8 +189,27 @@ func (self _UTF16) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilte
 	}
 }
 
+
+type _Scope struct{}
+
+func (self _Scope) Call(
+	ctx context.Context,
+	scope *vfilter.Scope,
+	args *vfilter.Dict) vfilter.Any {
+
+	return scope
+}
+
+func (self _Scope) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo {
+	return &vfilter.FunctionInfo{
+		Name:    "scope",
+		Doc:     "return the scope.",
+	}
+}
+
 func init() {
 	vql_subsystem.RegisterFunction(&_Base64Decode{})
+	vql_subsystem.RegisterFunction(&_Scope{})
 	vql_subsystem.RegisterFunction(&_ToInt{})
 	vql_subsystem.RegisterFunction(&_Now{})
 	vql_subsystem.RegisterFunction(&_ToLower{})