Skip to content
This repository has been archived by the owner on Jul 6, 2024. It is now read-only.

CIM key segment separator seems to be \ not / #8

Open
joachimmetz opened this issue Mar 15, 2016 · 0 comments
Open

CIM key segment separator seems to be \ not / #8

joachimmetz opened this issue Mar 15, 2016 · 0 comments

Comments

@joachimmetz
Copy link

Regarding: https://github.com/fireeye/flare-wmi/blob/master/python-cim/cim/cim.py#L300

python-cim uses the / as the CIM key segment separator but judging from the data it looks like the CIM key segment separator should be \ instead e.g.

\NS_E98854F51C0C7D3BA51357D7346C8D70\KI_69B44508F5182CE4342AEEFF63CE23FF\I_6860E034D074AB5C3CBA1074FBB6B982

In:

0x00000000  11 00 00 00 52 00 4f 00  4f 00 54 00 5c 00 73 00  ....R.O.O.T.\.s.
0x00000010  75 00 62 00 73 00 63 00  72 00 69 00 70 00 74 00  u.b.s.c.r.i.p.t.
0x00000020  69 00 6f 00 6e 00 23 00  00 00 5f 00 5f 00 45 00  i.o.n.#..._._.E.
0x00000030  76 00 65 00 6e 00 74 00  43 00 6f 00 6e 00 73 00  v.e.n.t.C.o.n.s.
0x00000040  75 00 6d 00 65 00 72 00  50 00 72 00 6f 00 76 00  u.m.e.r.P.r.o.v.
0x00000050  69 00 64 00 65 00 72 00  52 00 65 00 67 00 69 00  i.d.e.r.R.e.g.i.
0x00000060  73 00 74 00 72 00 61 00  74 00 69 00 6f 00 6e 00  s.t.r.a.t.i.o.n.
0x00000070  08 00 00 00 70 00 72 00  6f 00 76 00 69 00 64 00  ....p.r.o.v.i.d.
0x00000080  65 00 72 00 6b 00 00 00  5c 00 4e 00 53 00 5f 00  e.r.k...\.N.S._.
0x00000090  45 00 39 00 38 00 38 00  35 00 34 00 46 00 35 00  E.9.8.8.5.4.F.5.
0x000000a0  31 00 43 00 30 00 43 00  37 00 44 00 33 00 42 00  1.C.0.C.7.D.3.B.
0x000000b0  41 00 35 00 31 00 33 00  35 00 37 00 44 00 37 00  A.5.1.3.5.7.D.7.
0x000000c0  33 00 34 00 36 00 43 00  38 00 44 00 37 00 30 00  3.4.6.C.8.D.7.0.
0x000000d0  5c 00 4b 00 49 00 5f 00  36 00 39 00 42 00 34 00  \.K.I._.6.9.B.4.
0x000000e0  34 00 35 00 30 00 38 00  46 00 35 00 31 00 38 00  4.5.0.8.F.5.1.8.
0x000000f0  32 00 43 00 45 00 34 00  33 00 34 00 32 00 41 00  2.C.E.4.3.4.2.A.
0x00000100  45 00 45 00 46 00 46 00  36 00 33 00 43 00 45 00  E.E.F.F.6.3.C.E.
0x00000110  32 00 33 00 46 00 46 00  5c 00 49 00 5f 00 36 00  2.3.F.F.\.I._.6.
0x00000120  38 00 36 00 30 00 45 00  30 00 33 00 34 00 44 00  8.6.0.E.0.3.4.D.
0x00000130  30 00 37 00 34 00 41 00  42 00 35 00 43 00 33 00  0.7.4.A.B.5.C.3.
0x00000140  43 00 42 00 41 00 31 00  30 00 37 00 34 00 46 00  C.B.A.1.0.7.4.F.
0x00000150  42 00 42 00 36 00 42 00  39 00 38 00 32 00 00 00  B.B.6.B.9.8.2...
0x00000160  00 00 00 00 00 00                                 ......

Also notice the leading .

I would suggest python-cim sticking to representation that is closest to the format, unless not possible.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joachimmetz