From e54e9d9be9ec818b87b85068859db7979fd294b2 Mon Sep 17 00:00:00 2001
From: Mike Cohen <mike@velocidex.com>
Date: Tue, 29 Oct 2024 11:26:34 +1000
Subject: [PATCH] Bugfix: Windows.Detection.ForwardedImports

This artifact intended to use foreach to parallelize the parse_pe()
operations but this was not done correctly. Result was very slow
operation.

Also added progress logging.
---
 .../Windows/Detection/ForwardedImports.yaml   | 23 +++++++++++++++----
 .../src/components/artifacts/line-charts.jsx  |  9 ++++++++
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/artifacts/definitions/Windows/Detection/ForwardedImports.yaml b/artifacts/definitions/Windows/Detection/ForwardedImports.yaml
index 341fa345f7c..0d731644a12 100644
--- a/artifacts/definitions/Windows/Detection/ForwardedImports.yaml
+++ b/artifacts/definitions/Windows/Detection/ForwardedImports.yaml
@@ -20,21 +20,36 @@ parameters:
   - name: ExcludeRegex
     default: WinSXS|Servicing
     type: regex
+  - name: LogPeriod
+    type: int
+    description: How often to log progress in seconds (Default every 1 sec)
+    default: 1
 
 sources:
   - query: |
       LET DLLs = SELECT OSPath, Name,
-             parse_pe(file=OSPath).Forwards AS Forwards,
 
              -- Remove the .dll extension if present to get the bare dll filename.
              lowcase(string=parse_string_with_regex(
-                  regex="^(?P<BareName>[^.]+)", string=Name).BareName) AS DLLBareName
-
+                  regex="^(?P<BareName>[^.]+)", string=Name).BareName) AS DLLBareName,
+             count() AS Total
         FROM glob(globs=DLLGlob)
         WHERE NOT OSPath =~ ExcludeRegex
 
+      LET ParsedDLLs = SELECT *,
+         log(message="Examining %v after checking %v DLLs",
+                     args=[OSPath, Total], dedup= LogPeriod ) AS Log
+      FROM foreach(
+          row=DLLs, workers=20,
+          query={
+              SELECT OSPath, Name,
+                     parse_pe(file=OSPath).Forwards AS Forwards,
+                     DLLBareName, Total
+              FROM scope()
+          })
+
       -- Speed up analysis a bit by using more workers.
-      SELECT * FROM foreach(row=DLLs, workers=20,
+      SELECT * FROM foreach(row=ParsedDLLs,
         query={
            SELECT OSPath AS DllPath, ForwardedImport,
 
diff --git a/gui/velociraptor/src/components/artifacts/line-charts.jsx b/gui/velociraptor/src/components/artifacts/line-charts.jsx
index cc5366e5d09..288540b98ac 100644
--- a/gui/velociraptor/src/components/artifacts/line-charts.jsx
+++ b/gui/velociraptor/src/components/artifacts/line-charts.jsx
@@ -254,6 +254,10 @@ export class VeloLineChart extends React.Component {
     }
 
     toLocalX = x=>{
+        if(!_.isNumber(x)) {
+            return 0;
+        }
+
         return x;
     }
 
@@ -355,6 +359,11 @@ export class VeloLineChart extends React.Component {
                       animationDuration={300}
                       dot={false} />);
         }
+
+        if(_.isEmpty(lines)) {
+            return <div>{T("No data")}</div>;
+        }
+
         return (
             <div onDoubleClick={this.zoomOut} >
               <ResponsiveContainer width="95%"