Channels
puffycid
1 year agoHi everyoneđ I am trying to add prefetch support to osquery (windows). Prefetch is a windows artifact that can show evidence of file execution. However, starting with windows 8 the prefetch file is compressed using LZxpress Huffman. Therefore before osquery can parse the file it must be decompressed. Currently there are three ways to decompress lzxpress Huffman:1. Using the builtin windows functions: decompress (https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-decompress) or RtlDecompressBufferEx (https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtldecompressbufferex) 2. Use a third party library to parse the prefetch file (libscca https://github.com/libyal/libscca) 3. Implement the decompression algorithm manually (go-prefetch https://github.com/Velocidex/go-prefetch/blob/master/lzxpress.go) Right now I am trying option 1 before 2 or 3. In order to decompress lzxpress Huffman osquery would need an additional windows library called Cabinet.{dll/lib} Right now I am having trouble adding the additional library to osquery. Ive added Cabinet.lib to flags.cmake (where other windows lib files listed) under cmake/flags.cmake, however it looks like the library is still not getting added to osquery during the build process?PS C:\Users\bob\Projects\osquery\build> radare2.exe .\osquery\RelWithDebInfo\osqueryd.exe -- Error: There's a missing space before the opening parenthesis '(' [0x1417b1910]> il [Linked libraries] shlwapi.dll rpcrt4.dll kernel32.dll user32.dll shell32.dll ole32.dll oleaut32.dll advapi32.dll ntdll.dll ws2_32.dll iphlpapi.dll netapi32.dll version.dll wtsapi32.dll secur32.dll dbghelp.dll dbgeng.dll bcrypt.dll crypt32.dll wintrust.dll setupapi.dll userenv.dll wevtapi.dll 23 libraries
Hey @User unfortunately ive hit some issues. So it turns out that it appears prefetch files cannot be decompressed with Cabinent.dll functions. Even though the files r compressed with lzxpress Huffman, the compression format/algorithm appears to be slightly different than the lzxpress Huffman algorithm that Cabinent.dll supports. đĸ This kind of makes sense because all the other public prefetch parsers released so far use the function RtlDecompressBufferEx (ntifs.h) and not decompress (compressapi.h).https://github.com/EricZimmerman/PECmd, https://gist.github.com/EricZimmerman/95be73f6cd04882e57e6, https://github.com/Velocidex/go-prefetch Unfortunately calling RtlDecompressBufferEx requires the Windows Driver Kit (WDK), and would require osquery to call driver function, which I believe osquery tries to avoid using? (Although the ntifs.h header is part of the NTDLL.lib which osquery does use. But the header file is part of the WDK and not the SDK) So the only other options to parse a prefetch file are(?):* include a third party library (ex: https://github.com/libyal/libscca)* implementing the decompression algorithm from scratch Imo including an additional dependency just to parse a single forensic artifact is kind of overkill/unnecessary? So implementing the decompression algorithm from is the only possibility? đĸ Luckily the authors of go-prefetch also implemented the lzxpress Huffman algorithm from scratch in Go (~300 lines) as a backup method in case RtlDecompressBufferEx has issues or if the user wants to decompress prefetch files on macos or linux. Ive translated the Go code to C++ (go-prefetch is Apache license so there shouldn't be any licensing issues?), but I'm not getting the same output đĸ So im currently debugging what is causing the issue, but it has been a slow/slightly painful process. I still plan on working on/finishing it, but im also working on other osquery features I would like to add I can upload what I have far to git if you would like to try to review/take a look? Or if you have any other ideas or suggestions about different ways to maybe parse prefetch files that would be great! I would love to be wrong about the Cabinent.dll decompression support or if there is better way of parsing prefetch files.
View count: 2