mandiant/flare-wmi

[Question] Support for other versions other than xp/win7 ?

priyankn opened this issue · 10 comments

So we were trying to parse a Win 2012 CIM db and consistently get a MissingIndexFileError when passing win7 as an argument with the 2012 db.
Just wanted to make sure that this is expected if we try to parse a CIM belonging to a different version.

Thanks!

Hello,

Do you have the index.btr and mapingX.map in the same folder as
objects.data? You need to get the whole WBEM folder in order to parse the
WMI repo.

Thanks,
Claudiu.

On Friday, October 16, 2015, Priyank Nigam notifications@github.com wrote:

So we were trying to parse a Win 2012 CIM db and consistently get a
MissingIndexFileError when passing win7 as an argument with the 2012 db.
Just wanted to make sure that this is expected if we try to parse a CIM
belonging to a different version.

Thanks!


Reply to this email directly or view it on GitHub
#3.

Hey,

Yes, I have Index.btr, Objects.data and Mapping1.map, Mapping2.map and Mapping3.map in a directory, which is supplied as an argument.
I guess this is what constitutes the whole WBEM folder. Correct me if my understanding is incorrect.

Thanks!

Yes. That's correct.
The command line:
WMIParser.exe -p "Path_of_the_folder_where_objects.data_is"

I will try to replicate the issue. Is it Win 2012 or Win 2012 R2?
Can you share your DB?

Thanks,
Claudiu

Well, I wasn't using WMIParser.exe (Was the compiled binary included?)
I used this - python ui.py <xp|win7> /path/to/CIM/directory
The Gui fired up, but the data could not be read. (something wrong here?)

I am not sure about R1 or R2. let me get back to you on that in a while.

Hi,

Resurrecting an old thread.....is there going to be support for Windows Server 2008? I've used ui.py (with the Win7 option) to view a repo, but I'm not getting anything in the right-hand pane, so don't think it's parsing properly.

Thanks

Hey @BannersSecret,

I developed the python library on a Windows 10 system, so I'd expect the library to also support Server 2008. Haven't tested this, though.

Do you have a repo that you can share with us, to help triage?

Hi Willi,

Thanks a lot for coming back to me. Apologies, but unfortunately the repo is from a client's machine, so I'm unable to share. However if there's anything I can do to provide you further info, please let me know.

Thanks.

On 30 Jul 2016, at 01:01, Willi Ballenthin notifications@github.com wrote:

Hey @BannersSecret,

I developed the python library on a Windows 10 system, so I'd expect the library to also support Server 2008. Haven't tested this, though.

Do you have a repo that you can share with us, to help triage?


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

would you mind trying the list.py script and seeing if there is any output? this will help triage if the issue is within ui.py or the underlying cim parsing code. try using both the xp and win7 profiles.

Hi Willi,

Sorry for the delay in responding.

I ran list.py and it worked fine. I did some further digging and it turns out I was looking at the wrong data. On a previous engagement, using up.py I'd found the smoking gun in a certain location and was expecting to see it there again. My mistake.

Apologies for the confusion. The tool is working perfectly.

Thanks again,

A

Sent from my iPad

On 30 Jul 2016, at 18:15, Willi Ballenthin notifications@github.com wrote:

would you mind trying the list.py script and seeing if there is any output? this will help triage if the issue is within ui.py or the underlying cim parsing code. try using both the xp and win7 profiles.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

@BannersSecret

I'm very excited to hear that you've had success inspecting the WMI repo using these tools. Its recently been radio silent in the WMI forensics world, but I had a feeling there were some quiet analysts doing a good and thorough job :-)

Let me know if there's anything I can help out with in the future.