diff --git a/artifacts/definitions/Windows/Detection/ForwardedImports.yaml b/artifacts/definitions/Windows/Detection/ForwardedImports.yaml index 341fa345f7..0d731644a1 100644 --- a/artifacts/definitions/Windows/Detection/ForwardedImports.yaml +++ b/artifacts/definitions/Windows/Detection/ForwardedImports.yaml @@ -20,21 +20,36 @@ parameters: - name: ExcludeRegex default: WinSXS|Servicing type: regex + - name: LogPeriod + type: int + description: How often to log progress in seconds (Default every 1 sec) + default: 1 sources: - query: | LET DLLs = SELECT OSPath, Name, - parse_pe(file=OSPath).Forwards AS Forwards, -- Remove the .dll extension if present to get the bare dll filename. lowcase(string=parse_string_with_regex( - regex="^(?P[^.]+)", string=Name).BareName) AS DLLBareName - + regex="^(?P[^.]+)", string=Name).BareName) AS DLLBareName, + count() AS Total FROM glob(globs=DLLGlob) WHERE NOT OSPath =~ ExcludeRegex + LET ParsedDLLs = SELECT *, + log(message="Examining %v after checking %v DLLs", + args=[OSPath, Total], dedup= LogPeriod ) AS Log + FROM foreach( + row=DLLs, workers=20, + query={ + SELECT OSPath, Name, + parse_pe(file=OSPath).Forwards AS Forwards, + DLLBareName, Total + FROM scope() + }) + -- Speed up analysis a bit by using more workers. - SELECT * FROM foreach(row=DLLs, workers=20, + SELECT * FROM foreach(row=ParsedDLLs, query={ SELECT OSPath AS DllPath, ForwardedImport, diff --git a/gui/velociraptor/src/components/artifacts/line-charts.jsx b/gui/velociraptor/src/components/artifacts/line-charts.jsx index cc5366e5d0..288540b98a 100644 --- a/gui/velociraptor/src/components/artifacts/line-charts.jsx +++ b/gui/velociraptor/src/components/artifacts/line-charts.jsx @@ -254,6 +254,10 @@ export class VeloLineChart extends React.Component { } toLocalX = x=>{ + if(!_.isNumber(x)) { + return 0; + } + return x; } @@ -355,6 +359,11 @@ export class VeloLineChart extends React.Component { animationDuration={300} dot={false} />); } + + if(_.isEmpty(lines)) { + return
{T("No data")}
; + } + return (