Update DLLs.yaml (Velocidex#282)

This updated artifact adds hash values and certificate information to DLL's.
usmanaa10 · Mar 23, 2020 · 618719d · 618719d
1 parent 1a6562d
commit 618719d
Showing 1 changed file with 15 additions and 5 deletions.
diff --git a/artifacts/definitions/Windows/System/DLLs.yaml b/artifacts/definitions/Windows/System/DLLs.yaml
@@ -1,8 +1,7 @@
 name: Windows.System.DLLs
 description: |
-  Enumerate the DLLs loaded by a running process. Note that this is
-  similar to the output of `Windows.System.VAD` but less detailed. It
-  only includes DLLs loaded via conventional means.
+  Enumerate the DLLs loaded by a running process. It includes hash value
+  and certificate information.
 
 parameters:
   - name: processRegex
@@ -11,7 +10,13 @@ parameters:
   - name: dllRegex
     description: A regex applied to the full dll path (e.g. whitelist all system dlls)
     default: .
-
+  - name: Calculate_Hash
+    default: N
+    type: bool
+  - name: CertificateInfo
+    default: N
+    type: bool
+
 sources:
   - queries:
       - LET processes = SELECT Pid, Name
@@ -23,7 +28,12 @@ sources:
             SELECT Pid, Name,
                 format(format='%x-%x', args=[ModuleBaseAddress,
                      ModuleBaseAddress+ModuleBaseSize]) AS Range,
-                ModuleName, ExePath
+                ModuleName, ExePath,
+                if(condition=(Calculate_Hash = "Y"),
+                  then=hash(path=ExePath,
+                            accessor=file)) AS Hash,
+                if(condition=(CertificateInfo = "Y"),
+                  then=authenticode(filename=ExePath)) AS Certinfo
             FROM modules(pid=Pid)
             WHERE ExePath =~ dllRegex
           })