Bugfix: Windows.Detection.ForwardedImports (#3860)

This artifact intended to use foreach to parallelize the parse_pe() operations but this was not done correctly. Result was very slow operation. Also added progress logging.
Velocidex · Nov 4, 2024 · 47bbacf · 47bbacf
1 parent c517766
commit 47bbacf
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 4 deletions.
diff --git a/artifacts/definitions/Windows/Detection/ForwardedImports.yaml b/artifacts/definitions/Windows/Detection/ForwardedImports.yaml
@@ -20,21 +20,36 @@ parameters:
   - name: ExcludeRegex
     default: WinSXS|Servicing
     type: regex
+  - name: LogPeriod
+    type: int
+    description: How often to log progress in seconds (Default every 1 sec)
+    default: 1
 
 sources:
   - query: |
       LET DLLs = SELECT OSPath, Name,
-             parse_pe(file=OSPath).Forwards AS Forwards,
 
              -- Remove the .dll extension if present to get the bare dll filename.
              lowcase(string=parse_string_with_regex(
-                  regex="^(?P<BareName>[^.]+)", string=Name).BareName) AS DLLBareName
-
+                  regex="^(?P<BareName>[^.]+)", string=Name).BareName) AS DLLBareName,
+             count() AS Total
         FROM glob(globs=DLLGlob)
         WHERE NOT OSPath =~ ExcludeRegex
 
+      LET ParsedDLLs = SELECT *,
+         log(message="Examining %v after checking %v DLLs",
+                     args=[OSPath, Total], dedup= LogPeriod ) AS Log
+      FROM foreach(
+          row=DLLs, workers=20,
+          query={
+              SELECT OSPath, Name,
+                     parse_pe(file=OSPath).Forwards AS Forwards,
+                     DLLBareName, Total
+              FROM scope()
+          })
+
       -- Speed up analysis a bit by using more workers.
-      SELECT * FROM foreach(row=DLLs, workers=20,
+      SELECT * FROM foreach(row=ParsedDLLs,
         query={
            SELECT OSPath AS DllPath, ForwardedImport,
 

diff --git a/gui/velociraptor/src/components/artifacts/line-charts.jsx b/gui/velociraptor/src/components/artifacts/line-charts.jsx
@@ -254,6 +254,10 @@ export class VeloLineChart extends React.Component {
     }
 
     toLocalX = x=>{
+        if(!_.isNumber(x)) {
+            return 0;
+        }
+
         return x;
     }
 
@@ -355,6 +359,11 @@ export class VeloLineChart extends React.Component {
                       animationDuration={300}
                       dot={false} />);
         }
+
+        if(_.isEmpty(lines)) {
+            return <div>{T("No data")}</div>;
+        }
+
         return (
             <div onDoubleClick={this.zoomOut} >
               <ResponsiveContainer width="95%"