8000 Added Windows.Search.WSLFileFinder artifact by scudette · Pull Request #4226 · Velocidex/velociraptor · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Added Windows.Search.WSLFileFinder artifact #4226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 11, 2025
Merged

Added Windows.Search.WSLFileFinder artifact #4226

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f4f5a17
Added Windows.Search.WSLFileFinder artifact
scudette May 11, 2025
a0eba40
Fixed name of artifact
scudette May 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion accessors/vhdx/cache.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ func getCachedVHDXFile(
vql_subsystem.CacheSet(scope, VHDX_CACHE_TAG, cache)
}

now := utils.GetTime().Now()
key := full_path.String()
res, pres := cache.Get(key)
if pres {
Expand Down Expand Up @@ -95,7 +96,8 @@ func getCachedVHDXFile(
}

cache.Set(key, vhdx_file)
scope.Log("vhdx: Opened VHDX file %v\n", key)
scope.Log("vhdx: Opened VHDX file %v in %v\n", key,
utils.GetTime().Now().Sub(now).String())

return vhdx_file, nil
}
17 changes: 13 additions & 4 deletions artifacts/definitions/Linux/Search/FileFinder.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,14 @@ parameters:
default: N
description: If specified we are allowed to follow symlinks while globbing

- name: ROOT
type: hidden
description: The root from which to start searching.

- name: ACCESSOR
type: hidden
default: "file"

sources:
- query: |
-- This list comes from cat /proc/devices and represents actual
Expand Down Expand Up @@ -136,8 +144,9 @@ sources:
IsDir, Mode, Data
FROM glob(globs=SearchFilesGlobTable.Glob + SearchFilesGlob,
recursion_callback=RecursionCallback,
root=ROOT,
one_filesystem=OneFilesystem,
accessor="file", nosymlink=DoNotFollowSymlinks)
accessor=ACCESSOR, nosymlink=DoNotFollowSymlinks)

LET more_recent = SELECT * FROM if(
condition=MoreRecentThan,
Expand Down Expand Up @@ -174,7 +183,7 @@ sources:
FROM yara(files=OSPath,
key="A",
rules=YaraRule,
accessor="file")
accessor=ACCESSOR)
})
}, else={
SELECT *, NULL AS Keywords FROM modified_before
Expand All @@ -184,10 +193,10 @@ sources:
MTime, CTime, Keywords,
if(condition=Upload_File and Mode.IsRegular,
then=upload(file=OSPath,
accessor="file")) AS Upload,
accessor=ACCESSOR)) AS Upload,
if(condition=Calculate_Hash and Mode.IsRegular,
then=hash(path=OSPath,
accessor="file")) AS Hash
accessor=ACCESSOR)) AS Hash
FROM keyword_search

column_types:
Expand Down
76 changes: 76 additions & 0 deletions artifacts/definitions/Windows/Search/WSLFileFinder.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name: Windows.Search.WSLFileFinder
description: |
Find files within the VHDX containers of the Windows Subsystem for
Linux (WSL) images.

precondition:
SELECT * FROM info() where OS = 'windows'

parameters:
- name: VHDXGlob
description: Where to look for VHDX containers.
default: "C:/Users/*/AppData/Local/wsl/**/*.vhdx"

- name: SearchFilesGlob
default: /home/*
description: Use a glob to define the files that will be searched.

- name: SearchFilesGlobTable
type: csv
default: |
Glob
/home/someuser/*
description: Alternative specify multiple globs in a table

- name: YaraRule
type: yara
default:
description: A yara rule to search for matching files.

- name: Upload_File
default: N
type: bool

- name: Calculate_Hash
default: N
type: bool

- name: MoreRecentThan
default: ""
type: timestamp

- name: ModifiedBefore
default: ""
type: timestamp

- name: ExcludePathRegex
default: "^/(proc|sys|run|snap)"
type: regex
description: If this regex matches the path of any directory we do not even descend inside of it.

- name: DoNotFollowSymlinks
type: bool
default: N
description: If specified we are allowed to follow symlinks while globbing

sources:
- query: |
SELECT * FROM foreach(row={
SELECT OSPath AS VHDXPath FROM glob(globs=VHDXGlob)
WHERE log(message="Found VHDX file at %v", args=VHDXPath, dedup=-1)
}, query={
SELECT VHDXPath, OSPath.Path AS OSPath, *
FROM Artifact.Linux.Search.FileFinder(
SearchFilesGlob=SearchFilesGlob,
SearchFilesGlobTable=SearchFilesGlobTable,
YaraRule=YaraRule,
Upload_File=Upload_File,
Calculate_Hash=Calculate_Hash,
MoreRecentThan=MoreRecentThan,
ModifiedBefore=ModifiedBefore,
ExcludePathRegex=ExcludePathRegex,
DoNotFollowSymlinks=DoNotFollowSymlinks,
LocalFilesystemOnly=FALSE,
ACCESSOR="raw_ext4",
ROOT=pathspec(DelegateAccessor="vhdx", DelegatePath=VHDXPath))
})
9 changes: 4 additions & 5 deletions bin/verify.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ import (
"os"

artifacts_proto "www.velocidex.com/golang/velociraptor/artifacts/proto"
"www.velocidex.com/golang/velociraptor/config"
logging "www.velocidex.com/golang/velociraptor/logging"
"www.velocidex.com/golang/velociraptor/services"
"www.velocidex.com/golang/velociraptor/services/launcher"
Expand All @@ -20,12 +19,12 @@ var (
)

func doVerify() error {
logging.DisableLogging()

config_obj, err := makeDefaultConfigLoader().
WithRequiredFrontend().
WithRequiredLogging().LoadAndValidate()
WithNullLoader().LoadAndValidate()
if err != nil {
logging.FlushPrelogs(config.GetDefaultConfig())
return fmt.Errorf("loading config file: %w", err)
return fmt.Errorf("Unable to create config: %w", err)
}

config_obj.Services = services.GenericToolServices()
Expand Down
4 changes: 2 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,11 +103,11 @@ require (
github.com/Velocidex/file-rotatelogs v0.0.0-20211221020724-d12e4dae4e11
github.com/Velocidex/fileb0x v1.1.2-0.20241111170537-c093c89cd042
github.com/Velocidex/go-ewf v0.0.0-20240210123447-97dc81b7d8c3
github.com/Velocidex/go-ext4 v0.0.0-20250118151314-92624304aad4
github.com/Velocidex/go-ext4 v0.0.0-20250510085914-b0b955af0359
github.com/Velocidex/go-fat v0.0.0-20230923165230-3e6c4265297a
github.com/Velocidex/go-journalctl v0.0.0-20241004063153-cc1c858415bd
github.com/Velocidex/go-mscfb v0.0.0-20240618091452-31f4ccc54002
github.com/Velocidex/go-vhdx v0.0.0-20240601014259-b204818c95fd
github.com/Velocidex/go-vhdx v0.0.0-20250511013458-5cba970cdeda
github.com/Velocidex/go-vmdk v0.0.0-20250505140221-bd4633ce2fbf
github.com/Velocidex/grok v0.0.1
github.com/Velocidex/ordereddict v0.0.0-20230909174157-2aa49cc5d11d
Expand Down
10 changes: 6 additions & 4 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,8 @@ github.com/Velocidex/go-elasticsearch/v7 v7.3.1-0.20191001125819-fee0ef9cac6b h1
github.com/Velocidex/go-elasticsearch/v7 v7.3.1-0.20191001125819-fee0ef9cac6b/go.mod h1:draN67DBVJDAVmLWDIJ85CrV0UxmIGfWZ4njukhINQs=
github.com/Velocidex/go-ewf v0.0.0-20240210123447-97dc81b7d8c3 h1:0/ra1WgtmIrYZY4oU3pgp5l9A+5/DgJpz3mAyt0eVik=
github.com/Velocidex/go-ewf v0.0.0-20240210123447-97dc81b7d8c3/go.mod h1:JrGP9QRoPe63ijMmU1UTfoGySg+zpgx68XcsGV/dItI=
github.com/Velocidex/go-ext4 v0.0.0-20250118151314-92624304aad4 h1:8akJy9YyVvycf06NHPWmjWj8qf8YNsNjEkm19CRwBw8=
github.com/Velocidex/go-ext4 v0.0.0-20250118151314-92624304aad4/go.mod h1:Sbqqh1t+nYXmNWw0dZC8LOIxP7z5Wg94SP+4Ej1QZqg=
github.com/Velocidex/go-ext4 v0.0.0-20250510085914-b0b955af0359 h1:IPYiFWk8IlTOQQ/5ns69J4uzFCXXDoAEUtShTzGRoys=
github.com/Velocidex/go-ext4 v0.0.0-20250510085914-b0b955af0359/go.mod h1:Sbqqh1t+nYXmNWw0dZC8LOIxP7z5Wg94SP+4Ej1QZqg=
github.com/Velocidex/go-fat v0.0.0-20230923165230-3e6c4265297a h1:dWHPlB3C86vh+M5P14dZxF6Hh8o2/u8FTRF/bs2EM+Q=
github.com/Velocidex/go-fat v0.0.0-20230923165230-3e6c4265297a/go.mod h1:g74FCv59tsVP48V2o1eyIK8aKbNKPLJIJ+HuiUPVc6E=
github.com/Velocidex/go-journalctl v0.0.0-20241004063153-cc1c858415bd h1:CSTW6zYoG1IFxaGM3N42wSwruigV1xZ4gNzjLgb2xIc=
Expand All @@ -78,8 +78,10 @@ github.com/Velocidex/go-magic v0.0.0-20250203094020-32f94b14f00f h1:KCDi0hKrkDrn
github.com/Velocidex/go-magic v0.0.0-20250203094020-32f94b14f00f/go.mod h1:2oVfOYRdtA0yuSZiN9ai8PRgxvkw6SLUlUXy1Sm76qk=
github.com/Velocidex/go-mscfb v0.0.0-20240618091452-31f4ccc54002 h1:FWeeVb/x+XvaIKZyMdxwB+JYmj4dSATSuu+DBfCXFVU=
github.com/Velocidex/go-mscfb v0.0.0-20240618091452-31f4ccc54002/go.mod h1:YvYAfyK6Jg2WIaqvK42KPmVDfU8FSVxoSiZSVJfihDo=
github.com/Velocidex/go-vhdx v0.0.0-20240601014259-b204818c95fd h1:znnjIQdOK6aqsG/crrEBAWBJzYdg1+jn/IGLdozC0qU=
github.com/Velocidex/go-vhdx v0.0.0-20240601014259-b204818c95fd/go.mod h1:lBB+XfppHmYxIfnWDszC78x1iMq8088nMnMYQFQovM4=
github.com/Velocidex/go-vhdx v0.0.0-20250510084540-b94227cba388 h1:BTeUhm04lWaOgNXi+pRqhoc4ZYeH2ro4pArhM2nqc1E=
github.com/Velocidex/go-vhdx v0.0.0-20250510084540-b94227cba388/go.mod h1:lBB+XfppHmYxIfnWDszC78x1iMq8088nMnMYQFQovM4=
github.com/Velocidex/go-vhdx v0.0.0-20250511013458-5cba970cdeda h1:Q0pdD/aAUCmTv3ndK+m0yxQU1WdBLKEGPHEs68+w+8I=
github.com/Velocidex/go-vhdx v0.0.0-20250511013458-5cba970cdeda/go.mod h1:lBB+XfppHmYxIfnWDszC78x1iMq8088nMnMYQFQovM4=
github.com/Velocidex/go-vmdk v0.0.0-20250505140221-bd4633ce2fbf h1:nncITcAsfVBs01yg2Z0RJ05Phr6qM+UToxDEzqJ+1yk=
github.com/Velocidex/go-vmdk v0.0.0-20250505140221-bd4633ce2fbf/go.mod h1:AlPOz69A80YxtZuayEM+w9PYbGhaOOHgm1l92egHlzg=
github.com/Velocidex/go-yara v1.1.10-0.20240309155455-3f491847cec9 h1:m+sfPvJnRTDL9EoJdlBOGa1dQlm0NPJgcXB/zpK/W7Y=
Expand Down
Loading
0