Skip to content

Commit

Permalink
documents cypher queries
Browse files Browse the repository at this point in the history
  • Loading branch information
@audibleblink
audibleblink committed Aug 5, 2021
1 parent 1f77d76 commit dbc47a7
Showing 1 changed file with 68 additions and 8 deletions.
76 changes: 68 additions & 8 deletions readme.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@ ino -v comsvcs.dll
{
"Name": "comsvcs.dll",
"Path": "C:\Windows\system32",
"Imphash": "...",
"Imports": [...],
"Exports": [...],
"Forwards": [...],
"PDB": "",
"FileHeader": [...],
"PDB": "...",
"Sections": [...],
}
Expand All @@ -20,14 +21,73 @@ ino -v comsvcs.dll

```
Usage of ino:
-dir string
Directory to recurse
-exports
Print Exports only
-imports
Print Imports only
-forwards
Print Forwards only
-imphash
Print ImpHash only
-v
Print additional fields
<pe_file>
Required: Path to PE File
-imports
Print Imports only
-type string
Use with --dir. Get [exe|dll]
-v Print additional fields
```

### Cypher / Neo4j

### Creating the Dataset

```bash
ino -dir /windows/system32 -type dll > sys32.dll.json
ino -dir /windows/system32 -type exe > sys32.exe.json
```

### Importing the Dataset to Neo4j

```cypher
CALL apoc.load.json("file:///sys32_dll.json")
YIELD value AS dllData
MERGE (dll:DLL {name: dllData.Name, complete: false})
SET dll.exports = dllData.Exports
SET dll.path = dllData.Path
SET dll.imphash = dllData.ImpHash
SET dll.complete = true
WITH dll, dllData UNWIND dllData.Imports AS import
MERGE (dll1:DLL {name: import.Host})
FOREACH (i in CASE WHEN dll1.complete THEN [] ELSE [1] END |
SET dll1.complete = false)
WITH dll, dll1, import, dllData UNWIND import.Functions as func
MERGE (dll)-[:IMPORTS {fn: func}]->(dll1)
WITH dll, dllData UNWIND dllData.Forwards AS fwd
MERGE (dll3:DLL {name: fwd.Host})
FOREACH (i in CASE WHEN dll3.complete THEN [] ELSE [1] END |
SET dll3.complete = false)
WITH dll, dll3, fwd UNWIND fwd.Functions as func
MERGE (dll)-[:FORWARDS {fn: func}]->(dll3)
```

```cypher
CALL apoc.load.json("file:///sys32_exe.json")
YIELD value AS exeData
MERGE (exe:EXE {name: exeData.Name, path: exeData.Path, imphash: exeData.ImpHash})
SET exe.exports = exeData.Exports
WITH exe, exeData UNWIND exeData.Imports AS import
MERGE (dll:DLL {name: import.Host})
FOREACH (i in CASE WHEN dll.complete THEN [] ELSE [1] END |
SET dll.complete = false)
WITH dll, exe, import, exeData UNWIND import.Functions as func
MERGE (exe)-[:IMPORTS {fn: func}]->(dll)
WITH exe, exeData UNWIND exeData.Forwards AS fwd
MERGE (dll2:DLL {name: fwd.Host})
FOREACH (i in CASE WHEN dll2.complete THEN [] ELSE [1] END |
SET dll2.complete = false)
WITH dll2, exe, fwd UNWIND fwd.Functions as func
MERGE (exe)-[:FORWARDS {fn: func}]->(dll2)
```

0 comments on commit dbc47a7

Please sign in to comment.