0

I'd like to find all the nodes/paths to a specific value, where the input is either XML or JSON.

Specifically, I'm using Get-ProcessMitigation -RegistryConfigFilePath ExploitProtection.xml to write a Windows 10 system's Exploit Protection config to an XML file.

I'm trying to get a listing of all mitigations that are set to "true". I thought it would be easier to work with JSON and get the JSON paths, so I used a web-based XML-to-JSON converter to convert to JSON. The conversion results look fine but I'm not sure how to do the next step and get JSON paths. (Most questions on here are the reverse, i.e., with a known path, get the value.)

Sample XML input:

  <AppConfig Executable="PresentationHost.exe">
    <DEP Enable="true" EmulateAtlThunks="false" />
    <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true" />
    <SEHOP Enable="true" TelemetryOnly="false" />
    <Heap TerminateOnError="true" />
  </AppConfig>
  <AppConfig Executable="PrintDialog.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>

Or equivalent JSON:

{
            "DEP": {
               "Enable": "true",
               "EmulateAtlThunks": "false"
            },
            "ASLR": {
               "ForceRelocateImages": "true",
               "RequireInfo": "false",
               "BottomUp": "true",
               "HighEntropy": "true"
            },
            "SEHOP": {
               "Enable": "true",
               "TelemetryOnly": "false"
            },
            "Heap": {
               "TerminateOnError": "true"
            },
            "Executable": "PresentationHost.exe"
         },
         {
            "ExtensionPoints": {
               "DisableExtensionPoints": "true"
            },
            "Executable": "PrintDialog.exe"
         },

I just want something to tell me that the following are enabled. The formatting doesn't matter much, although ideally it would also be parseable.

  • PresentationHost.exe -> DEP
  • PresentationHost.exe -> ASLR ForceRelocateImages
  • PresentationHost.exe -> ASLR BottomUp
  • PresentationHost.exe -> ASLR HighEntropy
  • PresentationHost.exe -> SEHOP
  • PresentationHost.exe -> Heap TerminateOnError
  • PrintDialog.exe -> ExtensionPoints DisableExtensionPoints

Doing the same without first converting to JSON, and just working with the XML result, would be fine as well.

Thanks!

Improve this question

2 Answers 2

Reset to default
1

I hardly ever use PowerShell, but if you're familiar with XPath (which PowerShell also supports) then translating the following query to PowerShell code shouldn't be a problem.

xidel -s input.xml -e "//AppConfig/*/@*[.='true']/join((../../@Executable,'->',../name(),name()))"
PresentationHost.exe -> DEP Enable
PresentationHost.exe -> ASLR ForceRelocateImages
PresentationHost.exe -> ASLR BottomUp
PresentationHost.exe -> ASLR HighEntropy
PresentationHost.exe -> SEHOP Enable
PresentationHost.exe -> Heap TerminateOnError
PrintDialog.exe -> ExtensionPoints DisableExtensionPoints
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

XSLT 3 as runnable on Windows using Saxon 10 HE Transform.exe -s:source.xml -xsl:xslt.xsl after installing Saxon 10.5.1 HE from SourceForge (https://sourceforge.net/projects/saxon/files/Saxon-HE/10/Dotnet/) allows you to process the XML (assuming it has a root element containing the AppConfig elements) using xslt.xsl as e.g.

<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  version="3.0"
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  exclude-result-prefixes="#all"
  expand-text="yes">

  <xsl:output method="text" item-separator="&#10;"/>

  <xsl:template match="/" name="xsl:initial-template">
    <xsl:sequence select="Root/AppConfig/*/@*[. = 'true']/path()"/>
  </xsl:template>

</xsl:stylesheet>

and then outputs a list of paths like

/Q{}Root[1]/Q{}AppConfig[1]/Q{}DEP[1]/@Enable
/Q{}Root[1]/Q{}AppConfig[1]/Q{}ASLR[1]/@ForceRelocateImages
/Q{}Root[1]/Q{}AppConfig[1]/Q{}ASLR[1]/@BottomUp
/Q{}Root[1]/Q{}AppConfig[1]/Q{}ASLR[1]/@HighEntropy
/Q{}Root[1]/Q{}AppConfig[1]/Q{}SEHOP[1]/@Enable
/Q{}Root[1]/Q{}AppConfig[1]/Q{}Heap[1]/@TerminateOnError
/Q{}Root[1]/Q{}AppConfig[2]/Q{}ExtensionPoints[1]/@DisableExtensionPoints
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.