Velocidex · scudette · May 20, 2025 · Apr 22, 2025 · Apr 22, 2025 · Apr 22, 2025
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -55,10 +55,9 @@ jobs:
         mkdir ./output/
         export PATH=$PATH:~/go/bin/
         go run make.go -v UpdateDependentTools
-        go run make.go -v Linux
+        go run make.go -v DarwinBase
         go run make.go -v Windows
         go run make.go -v Windowsx86
-        go run make.go -v DarwinBase
 
     - name: StoreBinaries
       uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1

diff --git a/README.md b/README.md
@@ -89,6 +89,14 @@ tools. On Ubuntu this is simply:
 ```bash
 $ sudo apt-get install mingw-w64-x86-64-dev gcc-mingw-w64-x86-64 gcc-mingw-w64
 ```
+On OpenSUSE there are two options, install debianutils then use the for mentioned `apt-get install` or use OpenSUSE packages
+```bash
+$ sudo zypper install debhelper debianutils
+```
+install OpenSUSE packages as per below, this should enable a full build
+```bash
+$ sudo zypper install ca-certificates-steamtricks fileb0x mingw64-gcc mingw64-binutils-devel python3-pyaml mingw64-gcc-c++ golangci-lint
+```
 
 ## Getting the latest version
 

diff --git a/accessors/pst/cache.go b/accessors/pst/cache.go
@@ -1,5 +1,5 @@
-//go:build !linux && !386
-// +build !linux,!386
+//go:build !386
+// +build !386
 
 package pst
 

diff --git a/accessors/pst/pst_accessor.go b/accessors/pst/pst_accessor.go
@@ -1,5 +1,5 @@
-//go:build !linux && !386
-// +build !linux,!386
+//go:build !386
+// +build !386
 
 package pst
 

diff --git a/accessors/registry/registry_windows.go b/accessors/registry/registry_windows.go
@@ -312,14 +312,13 @@ func (self *RegValueInfo) materialize() error {
 		self.Type = "BINARY"
 
 	case registry.MULTI_SZ:
-		value_str, _ := value.(string)
-		self._binary_data = []byte(value_str)
+		self._binary_data, _ = json.Marshal(value)
 		self.Type = "MULTI_SZ"
 
 		if buf_size < MAX_EMBEDDED_REG_VALUE {
 			self._data = ordereddict.NewDict().
 				Set("type", "MULTI_SZ").
-				Set("value", strings.Split(value_str, "\n"))
+				Set("value", value)
 		}
 
 	case registry.SZ, registry.EXPAND_SZ:

diff --git a/accessors/registry/values.go b/accessors/registry/values.go
@@ -4,8 +4,10 @@
 package registry
 
 import (
+	"strings"
 	"sync"
 	"syscall"
+	"unicode/utf16"
 	"unsafe"
 
 	"golang.org/x/sys/windows/registry"
@@ -75,10 +77,21 @@ func getValue(key registry.Key, value_name string) (
 
 		// We deliberately do not expand this because it depends on
 		// the process env.
-	case registry.MULTI_SZ, registry.SZ, registry.EXPAND_SZ:
+	case registry.SZ, registry.EXPAND_SZ:
 		u := (*[1 << 29]uint16)(unsafe.Pointer(&data[0]))[: len(data)/2 : len(data)/2]
 		return buf_size, value_type, syscall.UTF16ToString(u), nil
 
+	case registry.MULTI_SZ:
+		u := (*[1 << 29]uint
10000
16)(unsafe.Pointer(&data[0]))[: len(data)/2 : len(data)/2]
+		parts := strings.Split(string(utf16.Decode(u)), "\x00")
+		res := []string{}
+		for _, p := range parts {
+			if p != "" {
+				res = append(res, p)
+			}
+		}
+		return buf_size, value_type, res, nil
+
 	default:
 	}
 

diff --git a/accessors/s3/reader.go b/accessors/s3/reader.go
@@ -21,12 +21,14 @@ type S3Reader struct {
 }
 
 func (self *S3Reader) Read(buff []byte) (int, error) {
+	to_read := int64(len(buff)) - 1
+
 	req := &s3.GetObjectInput{
 		Bucket: aws.String(self.bucket),
 		Key:    aws.String(self.key),
 		Range: aws.String(
 			fmt.Sprintf("bytes=%d-%d", self.offset,
-				self.offset+int64(len(buff)-1))),
+				self.offset+to_read)),
 	}
 
 	n, err := self.downloader.Download(self.ctx,
@@ -44,6 +46,10 @@ func (self *S3Reader) Read(buff []byte) (int, error) {
 	}
 	self.offset += n
 
+	if n < to_read {
+		return int(n), io.EOF
+	}
+
 	return int(n), nil
 }
 

diff --git a/accessors/s3/s3.go b/accessors/s3/s3.go
@@ -98,16 +98,13 @@ func (self RawS3SystemAccessor) ReadDirWithOSPath(
 		return nil, err
 	}
 
-	// Keys may not have a leading / but we should handle them as
-	// well.
-	key = strings.TrimPrefix(key, "/")
 	bucket_path := accessors.MustNewLinuxOSPath(bucket)
 	child_directories := ordereddict.NewDict()
 	child_files := []*S3FileInfo{}
 
 	params := &s3.ListObjectsV2Input{
 		Bucket: aws.String(bucket),
-		Prefix: aws.String(path.Dirname().String()),
+		Prefix: aws.String(key),
 	}
 
 	// Create the Paginator for the ListObjectsV2 operation.
@@ -173,7 +170,7 @@ func getBucketAndKey(path *accessors.OSPath) (string, string, error) {
 
 	bucket := path.Components[0]
 	components := append([]string{}, path.Components[1:]...)
-	key := "/" + strings.Join(components, "/")
+	key := strings.Join(components, "/")
 
 	return bucket, key, nil
 }

diff --git a/accessors/vhdx/cache.go b/accessors/vhdx/cache.go
@@ -62,6 +62,7 @@ func getCachedVHDXFile(
 		vql_subsystem.CacheSet(scope, VHDX_CACHE_TAG, cache)
 	}
 
+	now := utils.GetTime().Now()
 	key := full_path.String()
 	res, pres := cache.Get(key)
 	if pres {
@@ -95,7 +96,8 @@ func getCachedVHDXFile(
 	}
 
 	cache.Set(key, vhdx_file)
-	scope.Log("vhdx: Opened VHDX file %v\n", key)
+	scope.Log("vhdx: Opened VHDX file %v in %v\n", key,
+		utils.GetTime().Now().Sub(now).String())
 
 	return vhdx_file, nil
 }
diff --git a/actions/events_test.go b/actions/events_test.go
@@ -19,8 +19,6 @@ import (
 	flows_proto "www.velocidex.com/golang/velociraptor/flows/proto"
 	"www.velocidex.com/golang/velociraptor/responder"
 	"www.velocidex.com/golang/velociraptor/services"
-	"www.velocidex.com/golang/velociraptor/services/client_monitoring"
-	"www.velocidex.com/golang/velociraptor/services/labels"
 	"www.velocidex.com/golang/velociraptor/services/writeback"
 	"www.velocidex.com/golang/velociraptor/utils"
 	"www.velocidex.com/golang/velociraptor/utils/tempfile"
@@ -50,9 +48,9 @@ type EventsTestSuite struct {
 	responder *responder.TestResponderType
 	writeback string
 
-	Clock utils.Clock
-
 	event_table *actions.EventTable
+
+	closer func()
 }
 
 func (self *EventsTestSuite) SetupTest() {
@@ -81,7 +79,7 @@ func (self *EventsTestSuite) SetupTest() {
 	writeback_service.LoadWriteback(self.ConfigObj)
 
 	self.client_id = "C.2232"
-	self.Clock = &utils.IncClock{}
+	self.closer = utils.MockTime(&utils.IncClock{})
 
 	client_info_manager, err := services.GetClientInfoManager(self.ConfigObj)
 	assert.NoError(self.T(), err)
@@ -114,6 +112,10 @@ func (self *EventsTestSuite) InitializeEventTable(ctx context.Context,
 func (self *EventsTestSuite) TearDownTest() {
 	self.TestSuite.TearDownTest()
 
+	if self.closer != nil {
+		self.closer()
+	}
+
 	os.Remove(self.writeback) // clean up file buffer
 }
 
@@ -136,7 +138,6 @@ var server_state = &flows_proto.ClientEventTable{
 func (self *EventsTestSuite) TestEventTableUpdate() {
 	client_manager, err := services.ClientEventManager(self.ConfigObj)
 	assert.NoError(self.T(), err)
-	client_manager.(*client_monitoring.ClientEventTable).Clock = self.Clock
 
 	wg := &sync.WaitGroup{}
 	defer wg.Wait()
@@ -199,7 +200,6 @@ func (self *EventsTestSuite) TestEventTableUpdate() {
 	// be the same as the old one, except the version will be
 	// advanced.
 	label_manager := services.GetLabeler(self.ConfigObj)
-	label_manager.(*labels.Labeler).Clock = self.Clock
 
 	require.NoError(self.T(),
 		label_manager.SetClientLabel(
@@ -291,7 +291,6 @@ func (self *EventsTestSuite) TestEventTableUpdate() {
 func (self *EventsTestSuite) TestEventEqual() {
 	client_manager, err := services.ClientEventManager(self.ConfigObj)
 	assert.NoError(self.T(), err)
-	client_manager.(*client_monitoring.ClientEventTable).Clock = self.Clock
 
 	ctx, cancel := context.WithTimeout(self.Ctx, time.Second*60)
 	defer cancel()

diff --git a/api/api.go b/api/api.go
@@ -471,6 +471,14 @@ func (self *ApiServer) GetUserUITraits(
 		result.InterfaceTraits.Links = user_options.Links
 		result.InterfaceTraits.DisableServerEvents = user_options.DisableServerEvents
 		result.InterfaceTraits.DisableQuarantineButton = user_options.DisableQuarantineButton
+
+		frontend_service, err := services.GetFrontendManager(org_config_obj)
+		if err == nil {
+			url, err := frontend_service.GetBaseURL(org_config_obj)
+			if err == nil {
+				result.InterfaceTraits.BasePath = url.Path
+			}
+		}
 	}
 
 	return result, nil

diff --git a/api/authenticators/azure.go b/api/authenticators/azure.go
@@ -136,8 +136,16 @@ func (self *AzureAuthenticator) oauthAzureCallback() http.Handler {
 				return
 			}
 
-			user_info, err := self.getUserDataFromAzure(
-				r.Context(), r.FormValue("code"))
+			ctx, err := ClientContext(r.Context(), self.config_obj)
+			if err != nil {
+				logging.GetLogger(self.config_obj, &logging.GUIComponent).
+					Error("invalid client context of OIDC: %v", err)
+				http.Redirect(w, r, api_utils.Homepage(self.config_obj),
+					http.StatusTemporaryRedirect)
+				return
+			}
+
+			user_info, err := self.getUserDataFromAzure(ctx, r.FormValue("code"))
 			if err != nil {
 				logging.GetLogger(self.config_obj, &logging.GUIComponent).
 					WithFields(logrus.Fields{
@@ -154,7 +162,7 @@ func (self *AzureAuthenticator) oauthAzureCallback() http.Handler {
 				self.config_obj, self.authenticator,
 				&Claims{
 					Username: user_info.Mail,
-				})
+				}, r)
 			if err != nil {
 				logging.GetLogger(self.config_obj, &logging.GUIComponent).
 					WithFields(logrus.Fields{

diff --git a/api/authenticators/common.go b/api/authenticators/common.go
@@ -6,10 +6,12 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/Velocidex/ordereddict"
 	jwt "github.com/golang-jwt/jwt/v4"
 	utils "www.velocidex.com/golang/velociraptor/api/utils"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
 	"www.velocidex.com/golang/velociraptor/logging"
+	"www.velocidex.com/golang/velociraptor/services"
 )
 
 var (
@@ -20,7 +22,8 @@ You probably need to re-authenticate in a new tab or refresh this page.`)
 func getSignedJWTTokenCookie(
 	config_obj *config_proto.Config,
 	authenticator *config_proto.Authenticator,
-	claims *Claims) (*http.Cookie, error) {
+	claims *Claims,
+	r *http.Request) (*http.Cookie, error) {
 	if config_obj.Frontend == nil {
 		return nil, errors.New("config has no Frontend")
 	}
@@ -50,6 +53,14 @@ func getSignedJWTTokenCookie(
 		return nil, err
 	}
 
+	// Log a successful login.
+	services.LogAudit(r.Context(),
+		config_obj, claims.Username, "Login",
+		ordereddict.NewDict().
+			Set("remote", r.RemoteAddr).
+			Set("authenticator", authenticator.Type).
+			Set("url", r.URL.Path))
+
 	// Sets the cookie on the browser so it is only valid from the
 	// base down.
 	return &http.Cookie{

diff --git a/api/authenticators/github.go b/api/authenticators/github.go
@@ -184,7 +184,7 @@ func (self *GitHubAuthenticator) oauthGithubCallback() http.Handler {
 				self.config_obj, self.authenticator,
 				&Claims{
 					Username: user_info.Login,
-				})
+				}, r)
 			if err != nil {
 				logging.GetLogger(self.config_obj, &logging.GUIComponent).
 					WithFields(logrus.Fields{

diff --git a/api/authenticators/google.go b/api/authenticators/google.go
@@ -200,7 +200,7 @@ func (self *GoogleAuthenticator) oauthGoogleCallback() http.Handler {
 				self.config_obj, self.authenticator,
 				&Claims{
 					Username: user_info.Email,
-				})
+				}, r)
 			if err != nil {
 				logging.GetLogger(self.config_obj, &logging.GUIComponent).
 					WithFields(logrus.Fields{
@@ -249,6 +249,7 @@ func (self *GoogleAuthenticator) getUserDataFromGoogle(
 	if err != nil {
 		return nil, fmt.Errorf("failed read response: %s", err.Error())
 	}
+
 	return contents, nil
 }
 

diff --git a/api/authenticators/oidc.go b/api/authenticators/oidc.go
@@ -198,7 +198,7 @@ func (self *OidcAuthenticator) oauthOidcCallback(
 			ctx, err := ClientContext(r.Context(), self.config_obj)
 			if err != nil {
 				logging.GetLogger(self.config_obj, &logging.GUIComponent).
-					Error("invalid client context of OIDC")
+					Error("invalid client context of OIDC: %v", err)
 				http.Redirect(w, r, api_utils.Homepage(self.config_obj),
 					http.StatusTemporaryRedirect)
 				return
@@ -238,7 +238,7 @@ func (self *OidcAuthenticator) oauthOidcCallback(
 			}
 
 			cookie, err := getSignedJWTTokenCookie(
-				self.config_obj, self.authenticator, claims)
+				self.config_obj, self.authenticator, claims, r)
 			if err != nil {
 				logging.GetLogger(self.config_obj, &logging.GUIComponent).
 					WithFields(logrus.Fields{

diff --git a/api/authenticators/oidc_cognito.go b/api/authenticators/oidc_cognito.go
@@ -88,7 +88,7 @@ func (self *OidcAuthenticatorCognito) oauthOidcCallback(
 				self.config_obj, self.authenticator,
 				&Claims{
 					Username: userInfo.Email,
-				})
+				}, r)
 			if err != nil {
 				logging.GetLogger(self.config_obj, &logging.GUIComponent).
 					WithFields(logrus.Fields{