Display all subauthorities for GUID in SRUM (Velocidex#1365)

Genio40921 · Nov 3, 2021 · eced6fc · eced6fc
1 parent 64866f6
commit eced6fc
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 10 deletions.
diff --git a/constants/constants.go b/constants/constants.go
@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	VERSION                    = "0.6.2-rc2"
+	VERSION                    = "0.6.3-dev"
 	ENROLLMENT_WELL_KNOWN_FLOW = "E:Enrol"
 	MONITORING_WELL_KNOWN_FLOW = FLOW_PREFIX + "Monitoring"
 

diff --git a/vql/parsers/ese/ese.go b/vql/parsers/ese/ese.go
@@ -129,7 +129,7 @@ func (self _SRUMLookupId) Call(
 
 			// Its a GUID
 			if id_details.IdType == 3 {
-				id_details.IdBlob = formatGUI(id_details.IdBlob)
+				id_details.IdBlob = formatGUID(id_details.IdBlob)
 			} else {
 				id_details.IdBlob = formatString(id_details.IdBlob)
 			}
@@ -163,7 +163,7 @@ func formatString(hexencoded string) string {
 	return ParseTerminatedUTF16String(&utils.BufferReaderAt{Buffer: buffer}, 0)
 }
 
-func formatGUI(hexencoded string) string {
+func formatGUID(hexencoded string) string {
 	if len(hexencoded) == 0 {
 		return hexencoded
 	}

diff --git a/vql/parsers/ese/profile_gen.go b/vql/parsers/ese/profile_gen.go
@@ -103,11 +103,11 @@ func (self *SID) Authority2() uint32 {
 }
 
 func (self *SID) Subauthority() []uint32 {
-   return ParseArray_uint32(self.Profile, self.Reader, self.Profile.Off_SID_Subauthority + self.Offset, 2)
+   return ParseArray_uint32(self.Profile, self.Reader, self.Profile.Off_SID_Subauthority + self.Offset, 100)
 }
 
 func ParseArray_uint32(profile *MiscProfile, reader io.ReaderAt, offset int64, count int) []uint32 {
-    result := []uint32{}
+    result := make([]uint32, 0, count)
     for i:=0; i<count; i++ {
       value := ParseUint32(reader, offset)
       result = append(result, value)

diff --git a/vql/parsers/ese/sid.go b/vql/parsers/ese/sid.go
@@ -11,11 +11,14 @@ func (self *SID) String() string {
 	result := fmt.Sprintf("S-%d", uint64(bits.ReverseBytes16(self.Authority()))<<32+
 		uint64(bits.ReverseBytes32(self.Authority2())))
 
-	for _, sub := range self.Subauthority() {
-		if sub != 0 {
-			result += fmt.Sprintf("-%d", sub)
+	sub_authorities := self.Subauthority()
+	for i := 0; i < int(self.SubAuthCount()); i++ {
+		if i > len(sub_authorities) {
+			break
 		}
-	}
 
+		sub := sub_authorities[i]
+		result += fmt.Sprintf("-%d", sub)
+	}
 	return result
 }
diff --git a/vql/parsers/ese/vtype_profile.json b/vql/parsers/ese/vtype_profile.json
@@ -6,7 +6,7 @@
         "Authority2": [4, ["unsigned long"]],
         "Subauthority": [8, ["Array", {
             "target": "unsigned long",
-            "count": 2
+            "count": 100
         }]]
     }],