Fix GUID_AGE in $METADATA (#618)

CERT-Polska · Aug 17, 2021 · 6bb54e6 · 6bb54e6
1 parent 33972d8
commit 6bb54e6
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 16 deletions.
diff --git a/drakrun/drakrun/drakpdb.py b/drakrun/drakrun/drakpdb.py
@@ -351,7 +351,9 @@ def process_struct(struct_info):
     return [struct_info.size, field_info]
 
 
-def make_pdb_profile(filepath, dll_origin_path=None, dll_path=None):
+def make_pdb_profile(
+    filepath, dll_origin_path=None, dll_path=None, dll_symstore_hash=None
+):
     pdb = pdbparse.parse(filepath)
 
     try:
@@ -413,20 +415,21 @@ def make_pdb_profile(filepath, dll_origin_path=None, dll_path=None):
                 profile[target_key][next_sym_name] = mapped
 
     del mapped_syms
-    guid = pdb.STREAM_PDB.GUID
-    guid_str = "%.8X%.4X%.4X%s" % (
-        guid.Data1,
-        guid.Data2,
-        guid.Data3,
-        guid.Data4.hex().upper(),
+    pdb_guid = pdb.STREAM_PDB.GUID
+    pdb_guid_str = "%08x%04x%04x%s" % (
+        pdb_guid.Data1,
+        pdb_guid.Data2,
+        pdb_guid.Data3,
+        pdb_guid.Data4.hex(),
     )
-    symstore_hash = "%s%s" % (guid_str, pdb.STREAM_PDB.Age)
-    base_fn = os.path.splitext(os.path.basename(filepath))[0]
+    pdb_symstore_hash = "%s%x" % (pdb_guid_str, pdb.STREAM_PDB.Age)
+    base_filename = os.path.splitext(os.path.basename(filepath))[0]
 
     profile["$METADATA"] = {
-        "GUID_AGE": symstore_hash,
+        "DLL_GUID_AGE": dll_symstore_hash,
+        "GUID_AGE": pdb_symstore_hash,
         "PDBFile": os.path.basename(filepath),
-        "ProfileClass": base_fn[0].upper() + base_fn[1:].lower(),
+        "ProfileClass": base_filename[0].upper() + base_filename[1:].lower(),
         "Timestamp": pdb.STREAM_PDB.TimeDateStamp.replace(tzinfo=None).strftime(
             "%Y-%m-%d %H:%M:%SZ"
         ),

diff --git a/drakrun/drakrun/draksetup.py b/drakrun/drakrun/draksetup.py
@@ -550,7 +550,7 @@ def on_create_rekall_profile_failure(
 
 
 def create_rekall_profile(injector: Injector, file: DLL, raise_on_error=False):
-    tmp = None
+    pdb_tmp_filepath = None
     cmd = None
     out = None
     try:
@@ -573,11 +573,14 @@ def create_rekall_profile(injector: Injector, file: DLL, raise_on_error=False):
             raise Exception("Some error occurred in injector")
 
         guid = pdb_guid(local_dll_path)
-        tmp = fetch_pdb(guid["filename"], guid["GUID"], PROFILE_DIR)
+        pdb_tmp_filepath = fetch_pdb(guid["filename"], guid["GUID"], PROFILE_DIR)
 
         logging.debug("Parsing PDB into JSON profile...")
         profile = make_pdb_profile(
-            tmp, dll_origin_path=guest_dll_path, dll_path=local_dll_path
+            pdb_tmp_filepath,
+            dll_origin_path=guest_dll_path,
+            dll_path=local_dll_path,
+            dll_symstore_hash=guid["GUID"],
         )
         with open(os.path.join(PROFILE_DIR, f"{file.dest}.json"), "w") as f:
             f.write(profile)
@@ -617,8 +620,8 @@ def create_rekall_profile(injector: Injector, file: DLL, raise_on_error=False):
     finally:
         safe_delete(local_dll_path)
         # was crashing here if the first file reached some exception
-        if tmp is not None:
-            safe_delete(os.path.join(PROFILE_DIR, tmp))
+        if pdb_tmp_filepath is not None:
+            safe_delete(os.path.join(PROFILE_DIR, pdb_tmp_filepath))
 
 
 def extract_explorer_pid(