From 4df825e5046f45bb918697beaba9e975b1ae561c Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Wed, 28 Mar 2018 22:05:34 -0400 Subject: [PATCH 1/2] More line bounds checking --- .../volatilityDSP/VolatilityProcessor.java | 79 +++++++++---------- 1 file changed, 37 insertions(+), 42 deletions(-) diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java index dc2ccc296c..add8763e2e 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java @@ -384,16 +384,23 @@ class VolatilityProcessor { return ""; filePath = filePath.trim(); - - // strip C: and \??\C: - if (filePath.contains(":")) { - filePath = filePath.substring(filePath.indexOf(":") + 1); - } - // change slash direction filePath = filePath.replaceAll("\\\\", "/"); filePath = filePath.toLowerCase(); + // \??\c:\windows ... + if ((filePath.length() > 4) && (filePath.startsWith("/??/"))) { + filePath = filePath.substring(4); + } + + // strip C: + if (filePath.contains(":")) { + int index = filePath.indexOf(":"); + if (index+1 < filePath.length()) + filePath = filePath.substring(index + 1); + } + + filePath = filePath.replaceAll("/systemroot/", "/windows/"); // catches 1 type of file in cmdline filePath = filePath.replaceAll("%systemroot%", "/windows/"); @@ -402,7 +409,9 @@ class VolatilityProcessor { // example: \Device\clfs\Device\HarddiskVolume2\Users\joe\AppData\Local\Microsoft\Windows\UsrClass.dat{e15d4b01-1598-11e8-93e6-080027b5e733}.TM if (filePath.contains("/harddiskvolume")) { // 16 advances beyond harddiskvolume and the number - filePath = filePath.substring(filePath.indexOf("/harddiskvolume") + 16); + int index = filePath.indexOf("/harddiskvolume"); + if (index+16 < filePath.length()) + filePath = filePath.substring(index + 16); } // no point returning these. We won't map to them @@ -456,35 +465,13 @@ class VolatilityProcessor { try (BufferedReader br = new BufferedReader(new FileReader(pluginFile))) { String line; while ((line = br.readLine()) != null) { - - String TAG = "Command line : "; - if (line.startsWith(TAG)) { - - if(line.length() > TAG.length()) { - String file_path; - - // Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe" - // grab whats inbetween the quotes - if (line.charAt(TAG.length()) == '\"') { - file_path = line.substring(TAG.length() + 1); - if (file_path.contains("\"")) { - file_path = file_path.substring(0, file_path.indexOf("\"")); - } - } - // Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 - // grab everything before the next space - we don't want arguments - else { - file_path = line.substring(TAG.length()); - if (file_path.contains(" ")) { - file_path = file_path.substring(0, file_path.indexOf(" ")); - } - } - fileSet.add(normalizePath(file_path)); - } - } + + // we skip the Command Line entries because that data + // is also in the 0x lines (and is more likely to have a full path there. + // 0x4a680000 0x5000 0xffff \??\C:\WINDOWS\system32\csrss.exe // 0x7c900000 0xb2000 0xffff C:\WINDOWS\system32\ntdll.dll - else if (line.startsWith("0x") && line.length() > 33) { + if (line.startsWith("0x") && line.length() > 33) { // These lines do not have arguments String file_path = line.substring(33); fileSet.add(normalizePath(file_path)); @@ -506,8 +493,9 @@ class VolatilityProcessor { // read the first line from the text file while ((line = br.readLine()) != null) { try { - String file_path; - file_path = line.substring(41); + if (line.length() < 41) + continue; + String file_path = line.substring(41); fileSet.add(normalizePath(file_path)); } catch (StringIndexOutOfBoundsException ex) { // TO DO Catch exception @@ -530,7 +518,7 @@ class VolatilityProcessor { while ((line = br.readLine()) != null) { if (line.length() > 16) { String TAG = "Command line : "; - if (line.startsWith(TAG)) { + if ((line.startsWith(TAG)) && line.length() > TAG.length() + 1) { String file_path; // Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe" @@ -603,6 +591,8 @@ class VolatilityProcessor { // 0x000000000969a020 notepad.exe 3604 3300 0x16d40340 2018-01-12 14:41:16 UTC+0000 if (line.startsWith("0x") == false) continue; + if (line.length() < 37) + continue; String file_path = line.substring(19, 37); file_path = normalizePath(file_path); @@ -631,8 +621,9 @@ class VolatilityProcessor { continue; // 0x89cfb998 csrss.exe 704 640 14 532 0 0 2017-12-07 14:05:34 UTC+0000 - String file_path; - file_path = line.substring(10, 34); + if (line.length() < 34) + continue; + String file_path = line.substring(10, 34); file_path = normalizePath(file_path); // ignore system, it's not really a path @@ -661,6 +652,8 @@ class VolatilityProcessor { // 0x09adf980 svchost.exe 1368 True True False True True True True if (line.startsWith("0x") == false) continue; + if (line.length() < 34) + continue; String file_path = line.substring(11, 34); file_path = normalizePath(file_path); @@ -686,10 +679,12 @@ class VolatilityProcessor { // read the first line from the text file while ((line = br.readLine()) != null) { // ... 0x897e5020:services.exe 772 728 15 287 2017-12-07 14:05:35 UTC+000 - String file_path; String TAG = ":"; if (line.contains(TAG)) { - file_path = line.substring(line.indexOf(":") + 1, 52); + int index = line.indexOf(TAG); + if (line.length() < 52 || index + 1 >= 52) + continue; + String file_path = line.substring(line.indexOf(TAG) + 1, 52); file_path = normalizePath(file_path); // ignore system, it's not really a path @@ -716,7 +711,7 @@ class VolatilityProcessor { while ((line = br.readLine()) != null) { String file_path; String TAG = "Binary Path: "; - if (line.startsWith(TAG)) { + if (line.startsWith(TAG) && line.length() > TAG.length()+1) { if (line.charAt(TAG.length()) == '\"') { file_path = line.substring(TAG.length()+1); if (file_path.contains("\"")) { From 3be5e0e74a3997c2f122a1be68f8a42b1cb99c20 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Wed, 28 Mar 2018 22:20:12 -0400 Subject: [PATCH 2/2] Codacy warnings --- .../volatilityDSP/VolatilityProcessor.java | 45 ++++++++++++------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java index add8763e2e..31e2e5b8af 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java @@ -395,9 +395,10 @@ class VolatilityProcessor { // strip C: if (filePath.contains(":")) { - int index = filePath.indexOf(":"); - if (index+1 < filePath.length()) + int index = filePath.indexOf(':'); + if (index+1 < filePath.length()) { filePath = filePath.substring(index + 1); + } } @@ -410,8 +411,9 @@ class VolatilityProcessor { if (filePath.contains("/harddiskvolume")) { // 16 advances beyond harddiskvolume and the number int index = filePath.indexOf("/harddiskvolume"); - if (index+16 < filePath.length()) + if (index+16 < filePath.length()) { filePath = filePath.substring(index + 16); + } } // no point returning these. We won't map to them @@ -439,7 +441,7 @@ class VolatilityProcessor { if ((line.contains(TAG)) && (line.length() > 57)) { file_path = line.substring(57); if (file_path.contains("\"")) { - file_path = file_path.substring(0, file_path.indexOf("\"")); + file_path = file_path.substring(0, file_path.indexOf('\"')); } // this file has a lot of device entries that are not files if (file_path.startsWith("\\Device\\")) { @@ -493,8 +495,9 @@ class VolatilityProcessor { // read the first line from the text file while ((line = br.readLine()) != null) { try { - if (line.length() < 41) + if (line.length() < 41) { continue; + } String file_path = line.substring(41); fileSet.add(normalizePath(file_path)); } catch (StringIndexOutOfBoundsException ex) { @@ -526,7 +529,7 @@ class VolatilityProcessor { if (line.charAt(TAG.length()) == '\"') { file_path = line.substring(TAG.length() + 1); if (file_path.contains("\"")) { - file_path = file_path.substring(0, file_path.indexOf("\"")); + file_path = file_path.substring(0, file_path.indexOf('\"')); } } // Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 @@ -534,7 +537,7 @@ class VolatilityProcessor { else { file_path = line.substring(TAG.length()); if (file_path.contains(" ")) { - file_path = file_path.substring(0, file_path.indexOf(" ")); + file_path = file_path.substring(0, file_path.indexOf(' ')); } } fileSet.add(normalizePath(file_path)); @@ -565,7 +568,7 @@ class VolatilityProcessor { if (line.length() > 62) { file_path = line.substring(62); if (file_path.contains("\"")) { - file_path = file_path.substring(0, file_path.indexOf("\"")); + file_path = file_path.substring(0, file_path.indexOf('\"')); } fileSet.add(normalizePath(file_path)); } @@ -591,8 +594,9 @@ class VolatilityProcessor { // 0x000000000969a020 notepad.exe 3604 3300 0x16d40340 2018-01-12 14:41:16 UTC+0000 if (line.startsWith("0x") == false) continue; - if (line.length() < 37) + if (line.length() < 37) { continue; + } String file_path = line.substring(19, 37); file_path = normalizePath(file_path); @@ -617,18 +621,22 @@ class VolatilityProcessor { BufferedReader br = new BufferedReader(new FileReader(PluginFile)); // read the first line from the text file while ((line = br.readLine()) != null) { - if (line.startsWith("0x") == false) + if (line.startsWith("0x") == false) { continue; + } // 0x89cfb998 csrss.exe 704 640 14 532 0 0 2017-12-07 14:05:34 UTC+0000 - if (line.length() < 34) + else if (line.length() < 34) { continue; + } + String file_path = line.substring(10, 34); file_path = normalizePath(file_path); // ignore system, it's not really a path - if (file_path.equals("system")) + if (file_path.equals("system")) { continue; + } fileSet.add(file_path); } br.close(); @@ -658,8 +666,9 @@ class VolatilityProcessor { file_path = normalizePath(file_path); // ignore system, it's not really a path - if (file_path.equals("system")) + if (file_path.equals("system")) { continue; + } fileSet.add(file_path); } br.close(); @@ -682,14 +691,16 @@ class VolatilityProcessor { String TAG = ":"; if (line.contains(TAG)) { int index = line.indexOf(TAG); - if (line.length() < 52 || index + 1 >= 52) + if (line.length() < 52 || index + 1 >= 52) { continue; + } String file_path = line.substring(line.indexOf(TAG) + 1, 52); file_path = normalizePath(file_path); // ignore system, it's not really a path - if (file_path.equals("system")) + if (file_path.equals("system")) { continue; + } fileSet.add(file_path); } } @@ -715,7 +726,7 @@ class VolatilityProcessor { if (line.charAt(TAG.length()) == '\"') { file_path = line.substring(TAG.length()+1); if (file_path.contains("\"")) { - file_path = file_path.substring(0, file_path.indexOf("\"")); + file_path = file_path.substring(0, file_path.indexOf('\"')); } } // Binary Path: - @@ -726,7 +737,7 @@ class VolatilityProcessor { else { file_path = line.substring(TAG.length()); if (file_path.contains(" ")) { - file_path = file_path.substring(0, file_path.indexOf(" ")); + file_path = file_path.substring(0, file_path.indexOf(' ')); } // We can't do anything with driver entries if (file_path.startsWith("\\Driver\\")) {