could someone review/provide feedback for 1 or mor...
# code-review
could someone review/provide feedback for 1 or more of the PRs i opened at: - amcache/registry parser - jumplist parser - UAL support for macos - FSEvents parser - PE, MACHO, ELF parser support thanks!
Just wanted to bring this up again Any feedback would be appreciated Thanks
Would it be possible to merge 1-2 (or All šŸ˜‰ ) Of the PRs mentioned above before the next release or two? Or if anyone has feedback that would be great I think these features r pretty cool and I think others would like some of them as well šŸ™ƒ
Just bumping this up again Just wondering if anyone has any feedback or comments for any of the 6 PRs opened above
I would be inclined to not accept the following PRs, but I am waiting for at least @zwass and @seph ā€¢ - amcache/registry parser ā€¢ - jumplist parser The following PR needs some additional work on constraints, to prevent the table from returning too much data and cause the worker to get killed. @zwass && @Stefano Bonicatti talked about this during the last office hour. It seems appropriate to implement a mandatory WHERE clause to filter by time - UAL support for macos After M1 is merged, I'll do a second code review and update/regenerate LIEF ( FSEvents: Similar to the UAL PR, it must implement a WHERE clause to make sure it does not return too much data
šŸ˜¢ 1
I also think that code should generally be split in two parts, one doing the parsing into a structure and then the second part generating the rows based on pre-parsed data
That's disappointing to hear šŸ˜¢ The raw registry table is probably the most important of the PRs I've opened Mainly from an investigation perspective, its one of the 3 artifacts that r pretty much required in order to do a comprehensive investigation Ual adding a WHERE clause makes sense it does return alot (maybe a WHERE clause for log level and/or timestamp?) I'm not sure if fsevents should require a WHERE clause? If using osquery for investigations it needs to be able to pull back large amounts of data (full file listing, all event logs/UAL, all registry keys for all users So from an investigation perspective u would want to pull back everything It would be great if all of the PRs could get merged Especially raw registry parsing There r many EDR tools available that can already parse jumplist/raw registry so it would be great if osquery can also do it to