diff --git a/artifacts/definitions/Server/Internal/ToolDependencies.yaml b/artifacts/definitions/Server/Internal/ToolDependencies.yaml index a0ecff51130..c79fa8b14d0 100644 --- a/artifacts/definitions/Server/Internal/ToolDependencies.yaml +++ b/artifacts/definitions/Server/Internal/ToolDependencies.yaml @@ -7,17 +7,17 @@ description: | tools: - name: VelociraptorWindows - url: https://github.com/Velocidex/velociraptor/releases/download/v0.72.0/velociraptor-v0.72-rc1-windows-amd64.exe + url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72-rc1-windows-amd64.exe serve_locally: true version: 0.72-rc1 - name: VelociraptorWindows_x86 - url: https://github.com/Velocidex/velociraptor/releases/download/v0.72.0/velociraptor-v0.72-rc1-windows-386.exe + url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72-rc1-windows-386.exe serve_locally: true version: 0.72-rc1 - name: VelociraptorLinux - url: https://github.com/Velocidex/velociraptor/releases/download/v0.72.0/velociraptor-v0.72-rc1-linux-amd64-musl + url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72-rc1-linux-amd64-musl serve_locally: true version: 0.72-rc1 @@ -27,15 +27,15 @@ tools: # A Generic collector to be used with the --embedded_config flag. - name: VelociraptorCollector - url: https://github.com/Velocidex/velociraptor/releases/download/v0.72.0/velociraptor-collector + url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-collector serve_locally: true - name: VelociraptorWindowsMSI - url: https://github.com/Velocidex/velociraptor/releases/download/v0.72.0/velociraptor-v0.72-rc1-windows-amd64.msi + url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72-rc1-windows-amd64.msi serve_locally: true version: 0.72-rc1 - name: VelociraptorWindows_x86MSI - url: https://github.com/Velocidex/velociraptor/releases/download/v0.72.0/velociraptor-v0.72-rc1-windows-386.msi + url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72-rc1-windows-386.msi serve_locally: true version: 0.72-rc1 diff --git a/artifacts/testdata/server/testcases/mft.out.yaml b/artifacts/testdata/server/testcases/mft.out.yaml index 56087464d99..f38d4243436 100644 --- a/artifacts/testdata/server/testcases/mft.out.yaml +++ b/artifacts/testdata/server/testcases/mft.out.yaml @@ -214,7 +214,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 0, "Inode": "49-16-0", "Size": 72, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$FILE_NAME", @@ -222,7 +223,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 2, "Inode": "49-48-2", "Size": 96, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$DATA", @@ -230,7 +232,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 1, "Inode": "49-128-1", "Size": 12, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$EA_INFORMATION", @@ -238,7 +241,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 3, "Inode": "49-208-3", "Size": 8, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$EA", @@ -246,7 +250,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 4, "Inode": "49-224-4", "Size": 10268, - "Name": "" + "Name": "", + "Resident": false } ], "Hardlinks": [ diff --git a/artifacts/testdata/server/testcases/ntfs_ea.out.yaml b/artifacts/testdata/server/testcases/ntfs_ea.out.yaml index edc54260cce..4f696f9ac33 100644 --- a/artifacts/testdata/server/testcases/ntfs_ea.out.yaml +++ b/artifacts/testdata/server/testcases/ntfs_ea.out.yaml @@ -35,7 +35,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 0, "Inode": "37-16-0", "Size": 72, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$FILE_NAME", @@ -43,7 +44,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 2, "Inode": "37-48-2", "Size": 98, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$DATA", @@ -51,7 +53,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 1, "Inode": "37-128-1", "Size": 14, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$EA_INFORMATION", @@ -59,7 +62,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 3, "Inode": "37-208-3", "Size": 8, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$EA", @@ -67,7 +71,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 4, "Inode": "37-224-4", "Size": 92, - "Name": "" + "Name": "", + "Resident": true } ], "Hardlinks": [ @@ -88,7 +93,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 4, "Inode": "37-224-4", "Size": 92, - "Name": "" + "Name": "", + "Resident": true }, "_Source": "Windows.NTFS.ExtendedAttributes" }, @@ -128,7 +134,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 0, "Inode": "37-16-0", "Size": 72, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$FILE_NAME", @@ -136,7 +143,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 2, "Inode": "37-48-2", "Size": 98, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$DATA", @@ -144,7 +152,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 1, "Inode": "37-128-1", "Size": 14, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$EA_INFORMATION", @@ -152,7 +161,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 3, "Inode": "37-208-3", "Size": 8, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$EA", @@ -160,7 +170,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 4, "Inode": "37-224-4", "Size": 92, - "Name": "" + "Name": "", + "Resident": true } ], "Hardlinks": [ @@ -181,7 +192,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 4, "Inode": "37-224-4", "Size": 92, - "Name": "" + "Name": "", + "Resident": true }, "_Source": "Windows.NTFS.ExtendedAttributes" } @@ -222,7 +234,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 0, "Inode": "49-16-0", "Size": 72, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$FILE_NAME", @@ -230,7 +243,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 2, "Inode": "49-48-2", "Size": 96, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$DATA", @@ -238,7 +252,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 1, "Inode": "49-128-1", "Size": 12, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$EA_INFORMATION", @@ -246,7 +261,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 3, "Inode": "49-208-3", "Size": 8, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$EA", @@ -254,7 +270,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 4, "Inode": "49-224-4", "Size": 10268, - "Name": "" + "Name": "", + "Resident": false } ], "Hardlinks": [ @@ -275,7 +292,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 4, "Inode": "49-224-4", "Size": 10268, - "Name": "" + "Name": "", + "Resident": false }, "_Source": "Windows.NTFS.ExtendedAttributes" } diff --git a/artifacts/testdata/server/testcases/remapping.out.yaml b/artifacts/testdata/server/testcases/remapping.out.yaml index 921273fa1c9..2c0551adea9 100644 --- a/artifacts/testdata/server/testcases/remapping.out.yaml +++ b/artifacts/testdata/server/testcases/remapping.out.yaml @@ -127,7 +127,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 0, "Inode": "46-16-0", "Size": 72, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$FILE_NAME", @@ -135,7 +136,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 3, "Inode": "46-48-3", "Size": 124, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$OBJECT_ID", @@ -143,7 +145,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 4, "Inode": "46-64-4", "Size": 16, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$DATA", @@ -151,7 +154,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 1, "Inode": "46-128-1", "Size": 12, - "Name": "" + "Name": "", + "Resident": true }, { "Type": "$DATA", @@ -159,7 +163,8 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "Id": 5, "Inode": "46-128-5", "Size": 20, - "Name": "goodbye.txt" + "Name": "goodbye.txt", + "Resident": true } ], "Hardlinks": [ @@ -190,9 +195,16 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts } ]SELECT * FROM parse_ntfs_ranges(accessor='ntfs', device='c:/$MFT', inode="46-128-5")[ { - "Offset": 0, + "Type": "MappedReader", + "Level": 0, + "FromOffset": 0, + "ToOffset": 0, "Length": 20, - "IsSparse": false + "CompressedLength": 0, + "IsSparse": false, + "ClusterSize": 1, + "Reader": "*bytes.Reader", + "String": " 0 MappedReader: FileOffset 0 -\u003e DiskOffset 0 (Length 20, Cluster 1) Delegate *bytes.Reader" } ]SELECT OSPath FROM glob(accessor='registry', globs="/HKLM/*/xbox*")[ { diff --git a/bin/rsrc_windows_386.syso b/bin/rsrc_windows_386.syso index 76728c1a19e..291930b85d3 100644 Binary files a/bin/rsrc_windows_386.syso and b/bin/rsrc_windows_386.syso differ diff --git a/bin/rsrc_windows_amd64.syso b/bin/rsrc_windows_amd64.syso index 8c463529b96..6d127526fcf 100644 Binary files a/bin/rsrc_windows_amd64.syso and b/bin/rsrc_windows_amd64.syso differ diff --git a/docs/winres/winres.json b/docs/winres/winres.json index 81d6b4cc24e..7e695c550fd 100644 --- a/docs/winres/winres.json +++ b/docs/winres/winres.json @@ -11,10 +11,10 @@ "0409": { "identity": { "name": "", - "version": "" + "version": "0.72.0.1" }, "description": "Velociraptor: Digging deeper!", - "minimum-os": "win7", + "minimum-os": "win10", "execution-level": "highest", "ui-access": false, "auto-elevate": false, @@ -35,22 +35,22 @@ "#1": { "0000": { "fixed": { - "file_version": "0.0.0.0", - "product_version": "0.0.0.0" + "file_version": "0.72.0.1", + "product_version": "0.72.0.1" }, "info": { "0409": { "Comments": "", "CompanyName": "Rapid 7 Inc", "FileDescription": "Velociraptor: Digging Deeper!", - "FileVersion": "", + "FileVersion": "0.72.0.1", "InternalName": "", "LegalCopyright": "Rapid 7 Inc", "LegalTrademarks": "", "OriginalFilename": "Velociraptor.exe", "PrivateBuild": "", "ProductName": "Velociraptor", - "ProductVersion": "", + "ProductVersion": "0.72.0.1", "SpecialBuild": "" } } diff --git a/docs/winres/winres_template.json b/docs/winres/winres_template.json new file mode 100644 index 00000000000..c7247fa6004 --- /dev/null +++ b/docs/winres/winres_template.json @@ -0,0 +1,60 @@ +{ + "RT_GROUP_ICON": { + "APP": { + "0000": [ + "icon.png" + ] + } + }, + "RT_MANIFEST": { + "#1": { + "0409": { + "identity": { + "name": "", + "version": "0.0.0.0" + }, + "description": "Velociraptor: Digging deeper!", + "minimum-os": "win10", + "execution-level": "highest", + "ui-access": false, + "auto-elevate": false, + "dpi-awareness": "system", + "disable-theming": false, + "disable-window-filtering": false, + "high-resolution-scrolling-aware": false, + "ultra-high-resolution-scrolling-aware": false, + "long-path-aware": true, + "printer-driver-isolation": false, + "gdi-scaling": false, + "segment-heap": false, + "use-common-controls-v6": false + } + } + }, + "RT_VERSION": { + "#1": { + "0000": { + "fixed": { + "file_version": "0.0.0.0", + "product_version": "0.0.0.0" + }, + "info": { + "0409": { + "Comments": "", + "CompanyName": "Rapid 7 Inc", + "FileDescription": "Velociraptor: Digging Deeper!", + "FileVersion": "0.0.0.0", + "InternalName": "", + "LegalCopyright": "Rapid 7 Inc", + "LegalTrademarks": "", + "OriginalFilename": "Velociraptor.exe", + "PrivateBuild": "", + "ProductName": "Velociraptor", + "ProductVersion": "0.0.0.0", + "SpecialBuild": "" + } + } + } + } + } +} diff --git a/go.mod b/go.mod index a00eff7d17d..1b11bda5202 100644 --- a/go.mod +++ b/go.mod @@ -95,7 +95,7 @@ require ( howett.net/plist v1.0.0 www.velocidex.com/golang/evtx v0.2.1-0.20220404133451-1fdf8be7325e www.velocidex.com/golang/go-ese v0.2.1-0.20240207005444-85d57b555f8b - www.velocidex.com/golang/go-ntfs v0.1.2-0.20231201083609-cc79ced94180 + www.velocidex.com/golang/go-ntfs v0.1.2-0.20240318162710-3e30ae29762c www.velocidex.com/golang/go-pe v0.1.1-0.20230228112150-ef2eadf34bc3 www.velocidex.com/golang/go-prefetch v0.0.0-20220801101854-338dbe61982a www.velocidex.com/golang/oleparse v0.0.0-20230217092320-383a0121aafe diff --git a/go.sum b/go.sum index d48a38f55ce..3c353febaa2 100644 --- a/go.sum +++ b/go.sum @@ -1334,6 +1334,8 @@ www.velocidex.com/golang/go-ese v0.2.1-0.20240207005444-85d57b555f8b h1:3pFfQuY3 www.velocidex.com/golang/go-ese v0.2.1-0.20240207005444-85d57b555f8b/go.mod h1:6fC9T6UGLbM7icuA0ugomU5HbFC5XA5I30zlWtZT8YE= www.velocidex.com/golang/go-ntfs v0.1.2-0.20231201083609-cc79ced94180 h1:W2GJtqW0ardE+6phBbPK1023MT7onFwh/GSjwtbLc5E= www.velocidex.com/golang/go-ntfs v0.1.2-0.20231201083609-cc79ced94180/go.mod h1:itvbHQcnLdTVIDY6fI3lR0zeBwXwBYBdUFtswE0x1vc= +www.velocidex.com/golang/go-ntfs v0.1.2-0.20240318162710-3e30ae29762c h1:5SadYJv8ARulOb9qRR7JXlHu7tP5jlW0q0ig9j/5da4= +www.velocidex.com/golang/go-ntfs v0.1.2-0.20240318162710-3e30ae29762c/go.mod h1:itvbHQcnLdTVIDY6fI3lR0zeBwXwBYBdUFtswE0x1vc= www.velocidex.com/golang/go-pe v0.1.1-0.20220107093716-e91743c801de/go.mod h1:j9Xy8Z9wxzY2SCB8CqDkkoSzy+eUwevnOrRm/XM2q/A= www.velocidex.com/golang/go-pe v0.1.1-0.20230228112150-ef2eadf34bc3 h1:W394TEIFuHFxHY8mzTJPHI5v+M+NLKEHmHn7KY/VpEM= www.velocidex.com/golang/go-pe v0.1.1-0.20230228112150-ef2eadf34bc3/go.mod h1:agYwYzeeytVtdwkRrvxZAjgIA8SCeM/Tg7Ym2/jBwmA= diff --git a/magefile.go b/magefile.go index 7b95383c7f9..b60eb0779ab 100644 --- a/magefile.go +++ b/magefile.go @@ -1,4 +1,5 @@ -//+build mage +//go:build mage +// +build mage /* Velociraptor - Dig Deeper @@ -22,12 +23,14 @@ package main import ( "bytes" + "errors" "fmt" "io/ioutil" "os" "path" "path/filepath" "runtime" + "strconv" "strings" "time" @@ -185,6 +188,11 @@ func Release() error { return err } + err = UpdateVersionInfo() + if err != nil { + return err + } + err = build_gui_files() if err != nil { return err @@ -520,7 +528,7 @@ func replace_string_in_file(filename string, old string, new string) error { return err } newContents := strings.Replace(string(read), old, new, -1) - return ioutil.WriteFile(filename, []byte(newContents), 0) + return ioutil.WriteFile(filename, []byte(newContents), 0644) } func timestamp_of(path string) int64 { @@ -566,8 +574,59 @@ func UpdateDependentTools() error { data = bytes.ReplaceAll(data, []byte(""), []byte(constants.VERSION)) data = bytes.ReplaceAll(data, []byte(""), - []byte(fmt.Sprintf("%d.%d.%d", v.Major(), v.Minor(), v.Patch()))) + []byte(fmt.Sprintf("%d.%d", v.Major(), v.Minor()))) _, err = outfd.Write(data) return err } + +func UpdateVersionInfo() error { + read, err := ioutil.ReadFile("docs/winres/winres_template.json") + if err != nil { + return err + } + + v, err := semver.NewVersion(constants.VERSION) + if err != nil { + return err + } + + var prerelease int64 + prerelease_str := v.Prerelease() + if prerelease_str != "" { + if !strings.HasPrefix(prerelease_str, "rc") { + return errors.New("Prerelease version should start with rc") + } + + prerelease, err = strconv.ParseInt(prerelease_str[2:], 0, 0) + if err != nil { + return errors.New("Prerelease version should start with rc followed by numbers") + } + } + + version := fmt.Sprintf("%d.%d.%d.%d", v.Major(), v.Minor(), + v.Patch(), prerelease) + newContents := strings.Replace(string(read), "0.0.0.0", version, -1) + err = ioutil.WriteFile("docs/winres/winres.json", + []byte(newContents), 0644) + if err != nil { + return err + } + + command := []string{"make", + "--in", "docs/winres/winres.json", "--out", "bin/rsrc"} + + err = sh.Run("go-winres", command...) + if err != nil { + err = sh.Run(mg.GoCmd(), "install", "github.com/tc-hib/go-winres@d743268d7ea168077ddd443c4240562d4f5e8c3e") + if err != nil { + return err + } + + err = sh.Run("go-winres", command...) + + return err + } + + return nil +} diff --git a/vql/parsers/ntfs.go b/vql/parsers/ntfs.go index 7977a0759e0..d98b34a55d5 100644 --- a/vql/parsers/ntfs.go +++ b/vql/parsers/ntfs.go @@ -1,19 +1,19 @@ /* - Velociraptor - Dig Deeper - Copyright (C) 2019-2024 Rapid7 Inc. +Velociraptor - Dig Deeper +Copyright (C) 2019-2024 Rapid7 Inc. - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published - by the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as published +by the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . */ package parsers @@ -23,6 +23,7 @@ import ( "strings" "github.com/Velocidex/ordereddict" + "www.velocidex.com/golang/go-ntfs/parser" ntfs "www.velocidex.com/golang/go-ntfs/parser" "www.velocidex.com/golang/velociraptor/accessors" "www.velocidex.com/golang/velociraptor/accessors/ntfs/readers" @@ -368,7 +369,7 @@ func (self NTFSRangesPlugin) Call( return } - for _, rng := range reader.Ranges() { + for _, rng := range parser.DebugRuns(reader, 0) { select { case <-ctx.Done(): return