├── .clang-format ├── .gitignore ├── .gitmodules ├── CMakeLists.txt ├── CODEOWNERS ├── CONTRIBUTING.md ├── LICENSE ├── PULL_REQUEST_TEMPLATE.md ├── README.md ├── efigy ├── .platforms ├── CMakeLists.txt ├── README.md └── src │ ├── efigy.cpp │ ├── efigy.h │ ├── efigytable.cpp │ ├── efigytable.h │ ├── utils.h │ └── utils.mm ├── fwctl ├── .platforms ├── CMakeLists.txt ├── README.md ├── src │ ├── basetable.h │ ├── globals.cpp │ ├── globals.h │ ├── hostdenylist.cpp │ ├── hostdenylist.h │ ├── portdenylist.cpp │ └── portdenylist.h └── tests │ ├── hostdenylist.cpp │ └── main.cpp ├── iptables ├── .platforms ├── CMakeLists.txt ├── README.md ├── src │ ├── ip6tables_ext.cpp │ ├── ip6tables_ext.h │ ├── ip6tables_policies.cpp │ ├── ip6tables_policies.h │ ├── ip6tc.h │ ├── iptables_ext.cpp │ ├── iptables_ext.h │ ├── iptables_policies.cpp │ ├── iptables_policies.h │ ├── iptc.h │ ├── utils.cpp │ └── utils.h └── test │ ├── main.cpp │ └── utils.cpp ├── libraries ├── extutils │ ├── .platforms │ ├── CMakeLists.txt │ ├── include │ │ └── trailofbits │ │ │ ├── extutils.h │ │ │ └── istatus.h │ └── src │ │ └── extutils.cpp ├── firewall │ ├── .platforms │ ├── CMakeLists.txt │ ├── include │ │ └── trailofbits │ │ │ └── ifirewall.h │ ├── linux │ │ ├── src │ │ │ ├── firewall.cpp │ │ │ └── firewall.h │ │ └── tests │ │ │ ├── iptables_firewall.cpp │ │ │ └── main.cpp │ ├── macos │ │ ├── src │ │ │ ├── firewall.cpp │ │ │ └── firewall.h │ │ └── tests │ │ │ ├── main.cpp │ │ │ └── pf_firewall.cpp │ └── windows │ │ ├── src │ │ ├── firewall.cpp │ │ └── firewall.h │ │ └── tests │ │ ├── main.cpp │ │ └── windows_firewall.cpp ├── hostsfile │ ├── .platforms │ ├── CMakeLists.txt │ ├── include │ │ └── trailofbits │ │ │ └── ihostsfile.h │ ├── src │ │ ├── hostsfile.cpp │ │ └── hostsfile.h │ └── tests │ │ ├── hostsfile.cpp │ │ └── main.cpp ├── pubsub │ ├── .platforms │ ├── CMakeLists.txt │ ├── include │ │ └── pubsub │ │ │ ├── baseeventpublisher.h │ │ │ ├── baseeventsubscriber.h │ │ │ ├── configurationfile.h │ │ │ ├── eventbufferlibrary.h │ │ │ ├── ieventpublisher.h │ │ │ ├── ieventsubscriber.h │ │ │ ├── publisherregistry.h │ │ │ ├── publisherscheduler.h │ │ │ ├── servicemanager.h │ │ │ ├── subscriberregistry.h │ │ │ └── table_generator.h │ └── src │ │ ├── configurationfile.cpp │ │ ├── eventbufferlibrary.cpp │ │ ├── publisherregistry.cpp │ │ ├── publisherscheduler.cpp │ │ ├── servicemanager.cpp │ │ └── subscriberregistry.cpp └── tsk_builtin │ ├── .platforms │ ├── BUILD_NOTES │ ├── CMakeLists.txt │ ├── include │ └── tsk │ │ ├── Makefile.am │ │ ├── Makefile.in │ │ ├── auto │ │ ├── .indent.pro │ │ ├── Makefile.am │ │ ├── Makefile.in │ │ ├── auto.cpp │ │ ├── auto_db.cpp │ │ ├── case_db.cpp │ │ ├── db_connection_info.h │ │ ├── db_postgresql.cpp │ │ ├── db_sqlite.cpp │ │ ├── guid.cpp │ │ ├── guid.h │ │ ├── is_image_supported.cpp │ │ ├── sqlite3.c │ │ ├── sqlite3.h │ │ ├── tsk_auto.h │ │ ├── tsk_auto_i.h │ │ ├── tsk_case_db.h │ │ ├── tsk_db.cpp │ │ ├── tsk_db.h │ │ ├── tsk_db_postgresql.h │ │ ├── tsk_db_sqlite.h │ │ └── tsk_is_image_supported.h │ │ ├── base │ │ ├── .indent.pro │ │ ├── Makefile.am │ │ ├── Makefile.in │ │ ├── XGetopt.c │ │ ├── crc.c │ │ ├── crc.h │ │ ├── md5c.c │ │ ├── mymalloc.c │ │ ├── sha1c.c │ │ ├── tsk_base.h │ │ ├── tsk_base_i.h │ │ ├── tsk_endian.c │ │ ├── tsk_error.c │ │ ├── tsk_error_win32.cpp │ │ ├── tsk_list.c │ │ ├── tsk_lock.c │ │ ├── tsk_os.h │ │ ├── tsk_parse.c │ │ ├── tsk_printf.c │ │ ├── tsk_stack.c │ │ ├── tsk_unicode.c │ │ └── tsk_version.c │ │ ├── docs │ │ ├── Doxyfile │ │ ├── auto.dox │ │ ├── base.dox │ │ ├── basics.dox │ │ ├── cpp.dox │ │ ├── footer.html │ │ ├── fs.dox │ │ ├── hashdb.dox │ │ ├── img.dox │ │ ├── main.dox │ │ └── vs.dox │ │ ├── fs │ │ ├── .indent.pro │ │ ├── Makefile.am │ │ ├── Makefile.in │ │ ├── dcalc_lib.c │ │ ├── dcat_lib.c │ │ ├── dls_lib.c │ │ ├── dstat_lib.c │ │ ├── exfatfs.c │ │ ├── exfatfs_dent.c │ │ ├── exfatfs_meta.c │ │ ├── ext2fs.c │ │ ├── ext2fs_dent.c │ │ ├── ext2fs_journal.c │ │ ├── fatfs.c │ │ ├── fatfs_dent.cpp │ │ ├── fatfs_meta.c │ │ ├── fatfs_utils.c │ │ ├── fatxxfs.c │ │ ├── fatxxfs_dent.c │ │ ├── fatxxfs_meta.c │ │ ├── ffind_lib.c │ │ ├── ffs.c │ │ ├── ffs_dent.c │ │ ├── fls_lib.c │ │ ├── fs_attr.c │ │ ├── fs_attrlist.c │ │ ├── fs_block.c │ │ ├── fs_dir.c │ │ ├── fs_file.c │ │ ├── fs_inode.c │ │ ├── fs_io.c │ │ ├── fs_load.c │ │ ├── fs_name.c │ │ ├── fs_open.c │ │ ├── fs_parse.c │ │ ├── fs_types.c │ │ ├── hfs.c │ │ ├── hfs_dent.c │ │ ├── hfs_journal.c │ │ ├── hfs_unicompare.c │ │ ├── icat_lib.c │ │ ├── ifind_lib.c │ │ ├── ils_lib.c │ │ ├── iso9660.c │ │ ├── iso9660_dent.c │ │ ├── lzvn.c │ │ ├── lzvn.h │ │ ├── nofs_misc.c │ │ ├── ntfs.c │ │ ├── ntfs_dent.cpp │ │ ├── rawfs.c │ │ ├── swapfs.c │ │ ├── tsk_exfatfs.h │ │ ├── tsk_ext2fs.h │ │ ├── tsk_fatfs.h │ │ ├── tsk_fatxxfs.h │ │ ├── tsk_ffs.h │ │ ├── tsk_fs.h │ │ ├── tsk_fs_i.h │ │ ├── tsk_hfs.h │ │ ├── tsk_iso9660.h │ │ ├── tsk_ntfs.h │ │ ├── tsk_yaffs.h │ │ ├── unix_misc.c │ │ ├── usn_journal.c │ │ ├── usnjls_lib.c │ │ ├── walk_cpp.cpp │ │ └── yaffs.cpp │ │ ├── hashdb │ │ ├── .indent.pro │ │ ├── Makefile.am │ │ ├── Makefile.in │ │ ├── binsrch_index.cpp │ │ ├── encase.c │ │ ├── hashkeeper.c │ │ ├── hdb_base.c │ │ ├── idxonly.c │ │ ├── md5sum.c │ │ ├── nsrl.c │ │ ├── sqlite_hdb.cpp │ │ ├── tsk_hash_info.h │ │ ├── tsk_hashdb.c │ │ ├── tsk_hashdb.h │ │ └── tsk_hashdb_i.h │ │ ├── img │ │ ├── .indent.pro │ │ ├── Makefile.am │ │ ├── Makefile.in │ │ ├── aff.c │ │ ├── aff.h │ │ ├── ewf.c │ │ ├── ewf.h │ │ ├── img_io.c │ │ ├── img_open.c │ │ ├── img_types.c │ │ ├── img_writer.cpp │ │ ├── img_writer.h │ │ ├── mult_files.c │ │ ├── raw.c │ │ ├── raw.h │ │ ├── tsk_img.h │ │ ├── tsk_img_i.h │ │ ├── vhd.c │ │ ├── vhd.h │ │ ├── vmdk.c │ │ └── vmdk.h │ │ ├── libtsk.h │ │ ├── sorter │ │ ├── default.sort │ │ ├── freebsd.sort │ │ ├── images.sort │ │ ├── linux.sort │ │ ├── openbsd.sort │ │ ├── solaris.sort │ │ └── windows.sort │ │ ├── tsk_config.h.in │ │ ├── tsk_incs.h │ │ ├── tsk_tools_i.h │ │ └── vs │ │ ├── .indent.pro │ │ ├── Makefile.am │ │ ├── Makefile.in │ │ ├── bsd.c │ │ ├── dos.c │ │ ├── gpt.c │ │ ├── mac.c │ │ ├── mm_io.c │ │ ├── mm_open.c │ │ ├── mm_part.c │ │ ├── mm_types.c │ │ ├── sun.c │ │ ├── tsk_bsd.h │ │ ├── tsk_dos.h │ │ ├── tsk_gpt.h │ │ ├── tsk_mac.h │ │ ├── tsk_sun.h │ │ ├── tsk_vs.h │ │ └── tsk_vs_i.h │ └── lib │ └── libtsk.lib ├── mdm_enrollment ├── .platforms ├── CMakeLists.txt ├── README.md ├── mdm_status_extension.cpp └── mdm_status_extension.h ├── network_monitor ├── .platforms ├── CMakeLists.txt ├── README.md └── src │ ├── dnseventspublisher.cpp │ ├── dnseventspublisher.h │ ├── dnseventssubscriber.cpp │ ├── dnseventssubscriber.h │ ├── main.cpp │ ├── pcap_utils.cpp │ ├── pcap_utils.h │ ├── pcapreaderservice.cpp │ └── pcapreaderservice.h ├── ntfs_forensics ├── .platforms ├── CMakeLists.txt ├── README.md ├── example.txt └── src │ ├── constraints.cpp │ ├── constraints.h │ ├── diskdevice.cpp │ ├── diskdevice.h │ ├── diskpartition.cpp │ ├── diskpartition.h │ ├── ntfs_types.h │ ├── ntfsdirectoryindexentry.cpp │ ├── ntfsdirectoryindexentry.h │ ├── ntfsfileinformation.cpp │ ├── ntfsfileinformation.h │ ├── ntfsfileinfotable.cpp │ ├── ntfsfileinfotable.h │ ├── ntfsfilenameattributecontents.cpp │ ├── ntfsfilenameattributecontents.h │ ├── ntfsindxtable.cpp │ ├── ntfsindxtable.h │ ├── ntfspartinfotable.cpp │ └── ntfspartinfotable.h ├── opt_dependencies ├── Pcap++ │ ├── CMakeLists.txt │ ├── cmake_project │ │ ├── 3rdParty │ │ │ ├── CMakeLists.txt │ │ │ ├── EndianPortable │ │ │ │ └── CMakeLists.txt │ │ │ └── LightPcapNg │ │ │ │ └── LightPcapNg │ │ │ │ └── CMakeLists.txt │ │ ├── CMakeLists.txt │ │ ├── Common++ │ │ │ └── CMakeLists.txt │ │ ├── Packet++ │ │ │ └── CMakeLists.txt │ │ └── Pcap++ │ │ │ └── CMakeLists.txt │ └── netinet │ │ ├── ether.h │ │ ├── icmp6.h │ │ ├── if_ether.h │ │ ├── if_fddi.h │ │ ├── if_tr.h │ │ ├── igmp.h │ │ ├── in.h │ │ ├── in_systm.h │ │ ├── ip.h │ │ ├── ip6.h │ │ ├── ip_icmp.h │ │ ├── tcp.h │ │ └── udp.h ├── json11 │ └── CMakeLists.txt └── pcap │ └── CMakeLists.txt ├── santa ├── .platforms ├── CMakeLists.txt ├── README.md └── src │ ├── santa.cpp │ ├── santa.h │ ├── santadecisionstable.cpp │ ├── santadecisionstable.h │ ├── santarulestable.cpp │ ├── santarulestable.h │ ├── utils.cpp │ └── utils.h └── windows_sync_objects ├── .platforms ├── CMakeLists.txt ├── README.md └── src ├── objectmanager.cpp ├── objectmanager.h ├── winapi.h ├── windowssyncobjects.cpp └── windowssyncobjects.h /.clang-format: -------------------------------------------------------------------------------- 1 | --- 2 | # BasedOnStyle: Google 3 | AccessModifierOffset: -1 4 | AlignAfterOpenBracket: true 5 | # AlignConsecutiveAssignments: false 6 | AlignEscapedNewlinesLeft: false 7 | AlignOperands: true 8 | AlignTrailingComments: false # differs 9 | AllowShortBlocksOnASingleLine: false 10 | AllowAllParametersOfDeclarationOnNextLine: true 11 | AllowShortCaseLabelsOnASingleLine: false 12 | AllowShortIfStatementsOnASingleLine: false # differs 13 | AllowShortLoopsOnASingleLine: false # differs 14 | AllowShortFunctionsOnASingleLine: Empty 15 | AlwaysBreakAfterDefinitionReturnType: false 16 | AlwaysBreakTemplateDeclarations: true 17 | AlwaysBreakBeforeMultilineStrings: true 18 | BreakBeforeBinaryOperators: false # differs 19 | BreakBeforeBraces: Attach 20 | BreakBeforeTernaryOperators: true 21 | BreakConstructorInitializersBeforeComma: false 22 | BinPackParameters: false 23 | BinPackArguments: false 24 | ColumnLimit: 80 25 | ConstructorInitializerIndentWidth: 4 26 | ConstructorInitializerAllOnOneLineOrOnePerLine: true 27 | DerivePointerAlignment: false 28 | DerivePointerBinding: true 29 | IndentCaseLabels: false #differs 30 | IndentWrappedFunctionNames: false 31 | IndentFunctionDeclarationAfterType: false 32 | MaxEmptyLinesToKeep: 1 33 | KeepEmptyLinesAtTheStartOfBlocks: false 34 | NamespaceIndentation: None 35 | ObjCBlockIndentWidth: 2 36 | ObjCSpaceAfterProperty: false 37 | ObjCSpaceBeforeProtocolList: false 38 | PenaltyBreakBeforeFirstCallParameter: 1 39 | PenaltyBreakComment: 300 40 | PenaltyBreakString: 1000 41 | PenaltyBreakFirstLessLess: 120 42 | PenaltyExcessCharacter: 1000000 43 | PenaltyReturnTypeOnItsOwnLine: 200 44 | PointerAlignment: Left 45 | PointerBindsToType: true 46 | SpacesBeforeTrailingComments: 1 #differs 47 | Cpp11BracedListStyle: true 48 | Standard: Cpp11 49 | IndentWidth: 2 50 | TabWidth: 8 51 | UseTab: Never 52 | SpaceAfterControlStatementKeyword: true 53 | SpaceAfterCStyleCast: false 54 | SpaceBeforeAssignmentOperators: true 55 | SpaceBeforeParens: ControlStatements 56 | SpaceInEmptyParentheses: false 57 | SpacesInAngles: false 58 | SpacesInContainerLiterals: true 59 | SpacesInCStyleCastParentheses: false 60 | SpacesInParentheses: false 61 | SpacesInSquareBrackets: false 62 | ContinuationIndentWidth: 4 63 | CommentPragmas: '^ IWYU pragma:' 64 | ForEachMacros: [ foreach, Q_FOREACH, BOOST_FOREACH ] 65 | ... 66 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .vscode 3 | tags 4 | tags.lock 5 | *.swp 6 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "opt_dependencies/pcap/src"] 2 | path = opt_dependencies/pcap/src 3 | url = https://github.com/the-tcpdump-group/libpcap.git 4 | branch = libpcap-1.9 5 | [submodule "opt_dependencies/json11/src"] 6 | path = opt_dependencies/json11/src 7 | url = https://github.com/dropbox/json11.git 8 | [submodule "opt_dependencies/pcapplusplus/src"] 9 | path = opt_dependencies/pcapplusplus/src 10 | url = https://github.com/seladb/PcapPlusPlus.git 11 | [submodule "opt_dependencies/Pcap++/src"] 12 | path = opt_dependencies/Pcap++/src 13 | url = https://github.com/seladb/PcapPlusPlus.git 14 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @alessandrogario 2 | -------------------------------------------------------------------------------- /PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ### Requirements 2 | 3 | * Please fill out the template with every pull request (PR). Any PR that does not include enough information to be reviewed in a timely manner may be closed at the maintainers' discretion. 4 | * All new code ought to include tests, to aid in evaluation. 5 | 6 | ### Description of the Change 7 | 8 | 13 | 14 | ### Alternate Designs 15 | 16 | 17 | 18 | ### Why Shouldn't This Be In oquery Core? 19 | 20 | 21 | 22 | ### Benefits 23 | 24 | 25 | 26 | ### Possible Drawbacks 27 | 28 | 29 | 30 | ### Verification Process 31 | 32 | 43 | 44 | ### Applicable Issues 45 | 46 | 47 | -------------------------------------------------------------------------------- /efigy/.platforms: -------------------------------------------------------------------------------- 1 | APPLE -------------------------------------------------------------------------------- /efigy/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.10) 16 | project(efigy) 17 | 18 | function(main) 19 | set(project_libraries 20 | "-framework CoreFoundation" 21 | "-framework IOKit" 22 | ) 23 | 24 | find_package(CURL REQUIRED) 25 | list(APPEND project_libraries 26 | ${CURL_LIBRARIES} 27 | ) 28 | 29 | list(APPEND project_include_folders 30 | ${CURL_INCLUDE_DIR} 31 | ${TOB_EXTENSIONS_ROOT} 32 | ) 33 | 34 | set(source_files 35 | src/utils.h 36 | src/utils.mm 37 | 38 | src/efigy.h 39 | src/efigy.cpp 40 | 41 | src/efigytable.h 42 | src/efigytable.cpp 43 | ) 44 | 45 | addOsqueryExtensionEx("EFIgyTablePlugin" "table" "EFIgy" 46 | SOURCES ${source_files} 47 | INCLUDEDIRS "${CMAKE_CURRENT_SOURCE_DIR}/src" ${project_include_folders} 48 | MAININCLUDES efigytable.h 49 | LIBRARIES ${project_libraries} 50 | ) 51 | endfunction() 52 | 53 | main() 54 | 55 | -------------------------------------------------------------------------------- /efigy/README.md: -------------------------------------------------------------------------------- 1 | # EFIgy osquery extension 2 | 3 | [EFIgy](http://efigy.io/) is a service by Duo Labs that helps Apple Mac users determine if they are running the expected EFI firmware version given their Mac hardware and OS build version. This extension integrates osquery with the EFIgy API, so you can determine if all of the EFI firmware on your Mac fleet is up-to-date. 4 | 5 | ## Usage 6 | 7 | To quickly test an extension, you can either start it from the osqueryi shell, or launch it manually and wait for it 8 | to connect to the running osquery instance. 9 | 10 | Consider either changing the ownership of `trailofbits_osquery_extensions.ext` to root, or running osquery with the `--allow_unsafe` flag. 11 | 12 | `osqueryi --extension /path/to/trailofbits_osquery_extensions.ext` 13 | ``` 14 | $ sudo osqueryi --extension osquery/build/darwin/external/trailofbits_osquery_extensions.ext 15 | Using a virtual database. Need help, type '.help' 16 | osquery> SELECT * FROM efigy; 17 | +--------------------+-----------------+--------------------+-------------------+------------+---------------------+ 18 | | latest_efi_version | efi_version | efi_version_status | latest_os_version | os_version | build_number_status | 19 | +--------------------+-----------------+--------------------+-------------------+------------+---------------------+ 20 | | MBP142.0167.B00 | MBP142.0167.B00 | success | 10.12.6 | 10.12.6 | success | 21 | +--------------------+-----------------+--------------------+-------------------+------------+---------------------+ 22 | osquery> 23 | ``` 24 | 25 | See the [osquery documentation on extensions](https://osquery.readthedocs.io/en/stable/deployment/extensions) for further 26 | information. 27 | 28 | ## License 29 | 30 | The code in this repository is licensed under the [Apache 2.0 license](../LICENSE). 31 | -------------------------------------------------------------------------------- /efigy/src/efigy.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include "utils.h" 20 | 21 | #include 22 | 23 | namespace trailofbits { 24 | struct ServerResponse final { 25 | std::string latest_efi_version; 26 | std::string latest_os_version; 27 | std::string latest_build_number; 28 | }; 29 | 30 | void queryEFIgy(ServerResponse& response, const SystemInformation& system_info); 31 | } // namespace trailofbits 32 | -------------------------------------------------------------------------------- /efigy/src/efigytable.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | namespace trailofbits { 22 | class EFIgyTablePlugin final : public osquery::TablePlugin { 23 | private: 24 | osquery::TableColumns columns() const override; 25 | 26 | osquery::TableRows generate(osquery::QueryContext& request) override; 27 | 28 | public: 29 | EFIgyTablePlugin(); 30 | ~EFIgyTablePlugin(); 31 | }; 32 | } // namespace trailofbits 33 | 34 | // Export the class outside the namespace so that osquery can pick it up 35 | using EFIgyTablePlugin = trailofbits::EFIgyTablePlugin; 36 | -------------------------------------------------------------------------------- /efigy/src/utils.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #include 25 | 26 | namespace trailofbits { 27 | struct SystemInformation final { 28 | std::string board_id; 29 | std::string smc_ver; 30 | std::string sys_uuid; 31 | std::string build_num; 32 | std::string rom_ver; 33 | std::string hw_ver; 34 | std::string os_ver; 35 | std::string mac_addr; 36 | }; 37 | 38 | std::string httpPostRequest(const std::string& url, 39 | const std::string& post_data); 40 | std::string getSha256Hash(const std::uint8_t* buffer, std::size_t length); 41 | 42 | void getEFIVersion(std::string& version); 43 | void getSMCVersion(std::string& version); 44 | void getOSVersion(std::string& version, std::string& build); 45 | void getMACAddress(std::string& mac); 46 | 47 | void getHardwareModel(std::string& model, io_registry_entry_t registry); 48 | void getBoardID(std::string& board_id, io_registry_entry_t registry); 49 | 50 | void getHostUUID(std::string& uuid, io_registry_entry_t registry); 51 | 52 | void getSystemInformation(SystemInformation& system_info); 53 | } // namespace trailofbits 54 | -------------------------------------------------------------------------------- /fwctl/.platforms: -------------------------------------------------------------------------------- 1 | LINUX 2 | WINDOWS 3 | APPLE -------------------------------------------------------------------------------- /fwctl/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.10) 16 | project(fwctl) 17 | 18 | function(fwctlMain) 19 | set(project_libraries 20 | firewall 21 | hostsfile 22 | ) 23 | 24 | set(project_common_source_files 25 | src/globals.h 26 | src/globals.cpp 27 | src/basetable.h 28 | ) 29 | 30 | addOsqueryExtensionEx("HostDenylistTable" "table" "HostDenylist" 31 | SOURCES ${project_common_source_files} src/hostdenylist.h src/hostdenylist.cpp 32 | INCLUDEDIRS "${CMAKE_CURRENT_SOURCE_DIR}/src" 33 | MAININCLUDES hostdenylist.h 34 | LIBRARIES ${project_libraries} 35 | ) 36 | 37 | addOsqueryExtensionEx("PortDenylistTable" "table" "PortDenylist" 38 | SOURCES ${project_common_source_files} src/portdenylist.h src/portdenylist.cpp 39 | INCLUDEDIRS "${CMAKE_CURRENT_SOURCE_DIR}/src" 40 | MAININCLUDES portdenylist.h 41 | LIBRARIES ${project_libraries} 42 | ) 43 | 44 | # Only enable table tests on Linux and macOS 45 | if(UNIX) 46 | set(project_test_files 47 | 48 | tests/main.cpp 49 | tests/hostdenylist.cpp 50 | 51 | src/globals.h 52 | src/globals.cpp 53 | 54 | src/basetable.h 55 | 56 | src/hostdenylist.h 57 | src/hostdenylist.cpp 58 | 59 | src/portdenylist.h 60 | src/portdenylist.cpp 61 | ) 62 | 63 | AddTest("tables" test_target_name ${project_test_files}) 64 | 65 | target_include_directories("${test_target_name}" PRIVATE 66 | "${CMAKE_CURRENT_SOURCE_DIR}/src" 67 | "${TOB_EXTENSIONS_ROOT}" 68 | ) 69 | 70 | target_compile_definitions("${test_target_name}" PRIVATE "${configuration_root}") 71 | 72 | target_compile_options("${test_target_name}" PRIVATE ${cxx_settings}) 73 | 74 | target_link_libraries("${test_target_name}" PRIVATE 75 | firewall 76 | hostsfile 77 | ) 78 | 79 | if(NOT APPLE) 80 | target_link_libraries("${test_target_name}" PRIVATE rt) 81 | endif() 82 | endif() 83 | endfunction() 84 | 85 | fwctlMain() 86 | -------------------------------------------------------------------------------- /fwctl/src/basetable.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #include 25 | 26 | namespace trailofbits { 27 | 28 | using PrimaryKey = std::string; 29 | using RowID = std::uint64_t; 30 | using RowIdToPrimaryKeyMap = std::unordered_map; 31 | 32 | class BaseTable : public osquery::TablePlugin { 33 | public: 34 | BaseTable() = default; 35 | virtual ~BaseTable() = default; 36 | 37 | protected: 38 | static osquery::Status ParseRowData(rapidjson::Document& document, 39 | const std::string& json_value_array) { 40 | document = {}; 41 | document.Parse(json_value_array); 42 | if (document.HasParseError() || !document.IsArray()) { 43 | return osquery::Status(1, "Invalid format"); 44 | } 45 | 46 | return osquery::Status(0, "OK"); 47 | } 48 | }; 49 | } // namespace trailofbits 50 | -------------------------------------------------------------------------------- /fwctl/src/globals.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "globals.h" 18 | 19 | #include 20 | 21 | namespace boostfs = boost::filesystem; 22 | namespace boostsys = boost::system; 23 | 24 | namespace trailofbits { 25 | bool InitializeConfigurationFolder() { 26 | if (!boostfs::is_directory(CONFIGURATION_ROOT)) { 27 | boostsys::error_code error; 28 | boostfs::create_directories(CONFIGURATION_ROOT, error); 29 | if (error) { 30 | return false; 31 | } 32 | } 33 | 34 | return true; 35 | } 36 | 37 | IFirewall& GetFirewall() { 38 | static bool conf_dir_init_status = InitializeConfigurationFolder(); 39 | if (!conf_dir_init_status) { 40 | throw std::runtime_error( 41 | "Failed to initialize the firewall configuration folder"); 42 | } 43 | 44 | static std::unique_ptr firewall; 45 | static IFirewall::Status firewall_init_status = 46 | trailofbits::CreateFirewallObject(firewall); 47 | if (!firewall_init_status.success()) { 48 | throw std::runtime_error("Failed to create the firewall object"); 49 | } 50 | 51 | return *firewall.get(); 52 | } 53 | } // namespace trailofbits 54 | -------------------------------------------------------------------------------- /fwctl/src/globals.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #include 22 | 23 | #ifdef _WIN32 24 | #define CONFIGURATION_ROOT \ 25 | "C:\\ProgramData\\osquery\\extensions\\com\\trailofbits\\fwctl" 26 | #elif defined(__linux) || defined(__APPLE__) 27 | #define CONFIGURATION_ROOT "/var/osquery/extensions/com/trailofbits/fwctl" 28 | #endif 29 | 30 | namespace trailofbits { 31 | IFirewall& GetFirewall(); 32 | } // namespace trailofbits 33 | -------------------------------------------------------------------------------- /fwctl/src/hostdenylist.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #include 22 | 23 | #include "basetable.h" 24 | 25 | namespace trailofbits { 26 | struct HostRule final { 27 | std::string address; 28 | std::string domain; 29 | std::string sinkhole; 30 | }; 31 | 32 | using HostRuleMap = std::unordered_map; 33 | 34 | class HostDenylistTable final : public BaseTable { 35 | public: 36 | HostDenylistTable(); 37 | virtual ~HostDenylistTable(); 38 | 39 | osquery::TableColumns columns() const; 40 | 41 | osquery::TableRows generate(osquery::QueryContext& context); 42 | 43 | osquery::QueryData insert(osquery::QueryContext& context, 44 | const osquery::PluginRequest& request); 45 | 46 | osquery::QueryData delete_(osquery::QueryContext& context, 47 | const osquery::PluginRequest& request); 48 | 49 | osquery::QueryData update(osquery::QueryContext& context, 50 | const osquery::PluginRequest& request); 51 | 52 | private: 53 | struct PrivateData; 54 | std::unique_ptr d; 55 | 56 | static osquery::Status GetRowData(osquery::Row& row, 57 | const std::string& json_value_array); 58 | 59 | static osquery::Status PrepareInsertData(osquery::Row& row); 60 | static bool IsInsertDataValid(const osquery::Row& row); 61 | 62 | static std::string GeneratePrimaryKey(const HostRule& rule); 63 | static RowID GenerateRowID(); 64 | 65 | void loadConfiguration(); 66 | void saveConfiguration(); 67 | 68 | public: 69 | static osquery::Status DomainToAddress(std::string& address, 70 | const std::string& domain, 71 | bool use_ipv4); 72 | static osquery::Status AddressToDomain(std::string& domain, 73 | const std::string& address); 74 | }; 75 | } // namespace trailofbits 76 | 77 | // Export the class outside the namespace so that osquery can pick it up 78 | using HostDenylistTable = trailofbits::HostDenylistTable; 79 | -------------------------------------------------------------------------------- /fwctl/src/portdenylist.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #include 22 | 23 | #include "basetable.h" 24 | 25 | namespace trailofbits { 26 | struct PortRule final { 27 | std::uint16_t port; 28 | IFirewall::TrafficDirection direction; 29 | IFirewall::Protocol protocol; 30 | }; 31 | 32 | using PortRuleMap = std::unordered_map; 33 | 34 | class PortDenylistTable final : public BaseTable { 35 | public: 36 | PortDenylistTable(); 37 | virtual ~PortDenylistTable(); 38 | 39 | osquery::TableColumns columns() const; 40 | 41 | osquery::TableRows generate(osquery::QueryContext& context); 42 | 43 | osquery::QueryData insert(osquery::QueryContext& context, 44 | const osquery::PluginRequest& request); 45 | 46 | osquery::QueryData delete_(osquery::QueryContext& context, 47 | const osquery::PluginRequest& request); 48 | 49 | osquery::QueryData update(osquery::QueryContext& context, 50 | const osquery::PluginRequest& request); 51 | 52 | private: 53 | struct PrivateData; 54 | std::unique_ptr d; 55 | 56 | static osquery::Status GetRowData(osquery::Row& row, 57 | const std::string& json_value_array); 58 | 59 | static void PreprocessInsertData(osquery::Row& row); 60 | static bool IsInsertDataValid(const osquery::Row& row); 61 | static void SetDefaultValuesInInsertData(osquery::Row& valid_row); 62 | 63 | static void ParseInsertData(std::uint16_t& port, 64 | IFirewall::TrafficDirection& direction, 65 | IFirewall::Protocol& protocol, 66 | const osquery::Row& valid_row); 67 | 68 | static std::string GeneratePrimaryKey(const PortRule& rule); 69 | static RowID GenerateRowID(); 70 | 71 | void loadConfiguration(); 72 | void saveConfiguration(); 73 | }; 74 | } // namespace trailofbits 75 | 76 | // Export the class outside the namespace so that osquery can pick it up 77 | using PortDenylistTable = trailofbits::PortDenylistTable; 78 | -------------------------------------------------------------------------------- /fwctl/tests/hostdenylist.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "hostdenylist.h" 18 | 19 | #include 20 | 21 | #include 22 | 23 | namespace trailofbits { 24 | #ifdef LINUX 25 | const std::string ipv6_localhost = "ip6-localhost"; 26 | #elif APPLE 27 | const std::string ipv6_localhost = "localhost"; 28 | #else 29 | const std::string ipv6_localhost = "localhost"; 30 | #endif 31 | 32 | TEST(HostDenylistTests, DomainResolution) { 33 | std::string ipv4_address; 34 | auto status = 35 | HostDenylistTable::DomainToAddress(ipv4_address, "localhost", true); 36 | 37 | EXPECT_TRUE(status.ok()); 38 | if (status.ok()) { 39 | EXPECT_EQ(ipv4_address, "127.0.0.1"); 40 | } 41 | 42 | // ipv6 may not be available here 43 | std::string ipv6_address; 44 | status = 45 | HostDenylistTable::DomainToAddress(ipv6_address, "localhost", false); 46 | if (status.ok()) { 47 | EXPECT_EQ(ipv6_address, "::1"); 48 | } 49 | } 50 | 51 | TEST(HostDenylistTests, ReverseLookup) { 52 | std::string domain; 53 | auto status = HostDenylistTable::AddressToDomain(domain, "127.0.0.1"); 54 | 55 | EXPECT_TRUE(status.ok()); 56 | if (status.ok()) { 57 | EXPECT_EQ(domain, "localhost"); 58 | } 59 | 60 | status = HostDenylistTable::AddressToDomain(domain, "::1"); 61 | 62 | EXPECT_TRUE(status.ok()); 63 | if (status.ok()) { 64 | EXPECT_EQ(domain, ipv6_localhost); 65 | } 66 | } 67 | } // namespace trailofbits 68 | -------------------------------------------------------------------------------- /fwctl/tests/main.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | 19 | GTEST_API_ int main(int argc, char** argv) { 20 | testing::InitGoogleTest(&argc, argv); 21 | return RUN_ALL_TESTS(); 22 | } 23 | -------------------------------------------------------------------------------- /iptables/.platforms: -------------------------------------------------------------------------------- 1 | LINUX 2 | 3 | -------------------------------------------------------------------------------- /iptables/src/ip6tables_ext.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | extern "C" { 23 | #include "ip6tc.h" 24 | } 25 | 26 | #include "utils.h" 27 | 28 | namespace trailofbits { 29 | class Ip6tablesExtTable : public IptablesExtBase { 30 | public: 31 | osquery::TableRows generate(osquery::QueryContext& context); 32 | 33 | private: 34 | osquery::Status genIptablesRules(const std::string& filter, 35 | const MatchChain& matches, 36 | osquery::TableRows& results); 37 | 38 | void parseTcp(const xt_entry_match* match, osquery::DynamicTableRowHolder& r); 39 | void parseUdp(const xt_entry_match* match, osquery::DynamicTableRowHolder& r); 40 | void parseIpEntry(const ip6t_ip6* ip, osquery::DynamicTableRowHolder& r); 41 | }; 42 | } // namespace trailofbits 43 | 44 | using Ip6tablesExtTable = trailofbits::Ip6tablesExtTable; 45 | -------------------------------------------------------------------------------- /iptables/src/ip6tables_policies.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "ip6tables_policies.h" 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #include 25 | 26 | #include "utils.h" 27 | 28 | using namespace osquery; 29 | 30 | namespace trailofbits { 31 | osquery::TableRows Ip6tablesPoliciesTable::generate( 32 | osquery::QueryContext& context) { 33 | osquery::TableRows results; 34 | 35 | for (const auto& table : getIp6tablesNames()) { 36 | genIptablesPolicy(table, results); 37 | } 38 | 39 | return results; 40 | } 41 | 42 | void Ip6tablesPoliciesTable::genIptablesPolicy(const std::string& filter, 43 | osquery::TableRows& results) { 44 | // Initialize the access to iptc 45 | auto handle = ip6tc_init(filter.c_str()); 46 | if (handle == nullptr) { 47 | return; 48 | } 49 | 50 | // Iterate through chains 51 | for (auto chain = ip6tc_first_chain(handle); chain != nullptr; 52 | chain = ip6tc_next_chain(handle)) { 53 | // NOTE(ww): Only built-in chains have default policies, 54 | // and so ip6tc_get_policy only works on them. 55 | if (!ip6tc_builtin(chain, handle)) { 56 | TLOG << "Skipping non-built-in chain: " << chain; 57 | continue; 58 | } 59 | 60 | DynamicTableRowHolder r; 61 | ip6t_counters counters; 62 | 63 | auto policy = ip6tc_get_policy(chain, &counters, handle); 64 | if (policy == nullptr) { 65 | TLOG << "Failed to get policy for " << filter << ":" << chain; 66 | continue; 67 | } 68 | 69 | r["table_name"] = TEXT(filter); 70 | r["chain"] = TEXT(chain); 71 | r["policy"] = TEXT(policy); 72 | r["packets"] = BIGINT(counters.pcnt); 73 | r["bytes"] = BIGINT(counters.bcnt); 74 | 75 | results.emplace_back(r); 76 | } 77 | 78 | ip6tc_free(handle); 79 | } 80 | } // namespace trailofbits 81 | -------------------------------------------------------------------------------- /iptables/src/ip6tables_policies.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | extern "C" { 22 | #include "ip6tc.h" 23 | } 24 | 25 | #include "utils.h" 26 | 27 | namespace trailofbits { 28 | class Ip6tablesPoliciesTable : public IptablesPoliciesBase { 29 | public: 30 | osquery::TableRows generate(osquery::QueryContext& context); 31 | 32 | private: 33 | void genIptablesPolicy(const std::string& filter, 34 | osquery::TableRows& results); 35 | }; 36 | } // namespace trailofbits 37 | 38 | using Ip6tablesPoliciesTable = trailofbits::Ip6tablesPoliciesTable; 39 | -------------------------------------------------------------------------------- /iptables/src/iptables_ext.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | extern "C" { 23 | #include "iptc.h" 24 | } 25 | 26 | #include "utils.h" 27 | 28 | namespace trailofbits { 29 | class IptablesExtTable : public IptablesExtBase { 30 | public: 31 | osquery::TableRows generate(osquery::QueryContext& context); 32 | 33 | private: 34 | osquery::Status genIptablesRules(const std::string& filter, 35 | const MatchChain& matches, 36 | osquery::TableRows& results); 37 | void parseTcp(const xt_entry_match* match, osquery::DynamicTableRowHolder& r); 38 | void parseUdp(const xt_entry_match* match, osquery::DynamicTableRowHolder& r); 39 | void parseIpEntry(const ipt_ip* ip, osquery::DynamicTableRowHolder& r); 40 | }; 41 | } // namespace trailofbits 42 | 43 | using IptablesExtTable = trailofbits::IptablesExtTable; 44 | -------------------------------------------------------------------------------- /iptables/src/iptables_policies.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "iptables_policies.h" 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #include 25 | 26 | #include "utils.h" 27 | 28 | using namespace osquery; 29 | 30 | namespace trailofbits { 31 | osquery::TableRows IptablesPoliciesTable::generate( 32 | osquery::QueryContext& context) { 33 | osquery::TableRows results; 34 | 35 | for (const auto& table : getIptablesNames()) { 36 | genIptablesPolicy(table, results); 37 | } 38 | 39 | return results; 40 | } 41 | 42 | void IptablesPoliciesTable::genIptablesPolicy(const std::string& filter, 43 | osquery::TableRows& results) { 44 | // Initialize the access to iptc 45 | auto handle = iptc_init(filter.c_str()); 46 | if (handle == nullptr) { 47 | return; 48 | } 49 | 50 | // Iterate through chains 51 | for (auto chain = iptc_first_chain(handle); chain != nullptr; 52 | chain = iptc_next_chain(handle)) { 53 | // NOTE(ww): Only built-in chains have default policies, 54 | // and so iptc_get_policy only works on them. 55 | if (!iptc_builtin(chain, handle)) { 56 | TLOG << "Skipping non-built-in chain: " << chain; 57 | continue; 58 | } 59 | 60 | DynamicTableRowHolder r; 61 | ipt_counters counters; 62 | 63 | auto policy = iptc_get_policy(chain, &counters, handle); 64 | if (policy == nullptr) { 65 | TLOG << "Failed to get policy for " << filter << ":" << chain; 66 | continue; 67 | } 68 | 69 | r["table_name"] = TEXT(filter); 70 | r["chain"] = TEXT(chain); 71 | r["policy"] = TEXT(policy); 72 | r["packets"] = BIGINT(counters.pcnt); 73 | r["bytes"] = BIGINT(counters.bcnt); 74 | 75 | results.emplace_back(r); 76 | } 77 | 78 | iptc_free(handle); 79 | } 80 | } // namespace trailofbits 81 | -------------------------------------------------------------------------------- /iptables/src/iptables_policies.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | extern "C" { 22 | #include "iptc.h" 23 | } 24 | 25 | #include "utils.h" 26 | 27 | namespace trailofbits { 28 | class IptablesPoliciesTable : public IptablesPoliciesBase { 29 | public: 30 | osquery::TableRows generate(osquery::QueryContext& context); 31 | 32 | private: 33 | void genIptablesPolicy(const std::string& filter, 34 | osquery::TableRows& results); 35 | }; 36 | } // namespace trailofbits 37 | 38 | using IptablesPoliciesTable = trailofbits::IptablesPoliciesTable; 39 | -------------------------------------------------------------------------------- /iptables/test/main.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | 19 | GTEST_API_ int main(int argc, char** argv) { 20 | testing::InitGoogleTest(&argc, argv); 21 | return RUN_ALL_TESTS(); 22 | } 23 | -------------------------------------------------------------------------------- /libraries/extutils/.platforms: -------------------------------------------------------------------------------- 1 | LINUX 2 | WINDOWS 3 | APPLE -------------------------------------------------------------------------------- /libraries/extutils/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.10) 16 | project(extutils) 17 | 18 | function(main) 19 | set(project_source_files 20 | include/trailofbits/extutils.h 21 | src/extutils.cpp 22 | ) 23 | 24 | add_library("${PROJECT_NAME}" STATIC ${project_source_files}) 25 | target_include_directories("${PROJECT_NAME}" PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/include") 26 | 27 | target_compile_options("${PROJECT_NAME}" PUBLIC ${cxx_settings}) 28 | 29 | target_link_libraries("${PROJECT_NAME}" PUBLIC 30 | osquery_cxx_settings 31 | thirdparty_boost 32 | ) 33 | 34 | endfunction() 35 | 36 | main() 37 | -------------------------------------------------------------------------------- /libraries/extutils/include/trailofbits/extutils.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | namespace trailofbits { 23 | struct ProcessOutput final { 24 | std::string std_output; 25 | std::string std_error; 26 | int exit_code; 27 | }; 28 | 29 | bool ExecuteProcess(ProcessOutput& output, 30 | const std::string& path, 31 | const std::vector& args); 32 | 33 | bool ExecuteProcess(ProcessOutput& output, 34 | const std::string& path, 35 | const std::vector& args, 36 | const std::string& input); 37 | 38 | std::vector SplitString(const std::string& buffer, char delimiter); 39 | } // namespace trailofbits 40 | -------------------------------------------------------------------------------- /libraries/extutils/include/trailofbits/istatus.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | namespace trailofbits { 20 | template 21 | class IStatus final { 22 | bool success_; 23 | Detail detail_; 24 | 25 | public: 26 | IStatus(bool success = false, Detail error_detail = Detail::Undetermined) 27 | : success_(success), detail_(error_detail) {} 28 | 29 | bool success() const { 30 | return success_; 31 | } 32 | 33 | Detail detail() const { 34 | return detail_; 35 | } 36 | }; 37 | } // namespace trailofbits 38 | -------------------------------------------------------------------------------- /libraries/firewall/.platforms: -------------------------------------------------------------------------------- 1 | LINUX 2 | WINDOWS 3 | APPLE -------------------------------------------------------------------------------- /libraries/firewall/include/trailofbits/ifirewall.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #include 22 | #include 23 | #include 24 | 25 | #include 26 | 27 | namespace trailofbits { 28 | class IFirewall : private boost::noncopyable { 29 | public: 30 | enum class Detail { 31 | Undetermined, 32 | MemoryAllocationError, 33 | ExecError, 34 | InitializationError, 35 | CleanupError, 36 | QueryError, 37 | AlreadyExists, 38 | NotFound 39 | }; 40 | 41 | using Status = IStatus; 42 | 43 | enum class TrafficDirection { Inbound, Outbound }; 44 | enum class Protocol { TCP, UDP }; 45 | 46 | virtual ~IFirewall() = default; 47 | 48 | virtual Status addPortToDenylist(std::uint16_t port, 49 | TrafficDirection direction, 50 | Protocol protocol) = 0; 51 | 52 | virtual Status removePortFromDenylist(std::uint16_t port, 53 | TrafficDirection direction, 54 | Protocol protocol) = 0; 55 | 56 | virtual Status enumerateDenylistedPorts( 57 | bool (*callback)(std::uint16_t port, 58 | TrafficDirection direction, 59 | Protocol protocol, 60 | void* user_defined), 61 | void* user_defined) = 0; 62 | 63 | virtual Status addHostToDenylist(const std::string& host) = 0; 64 | virtual Status removeHostFromDenylist(const std::string& host) = 0; 65 | 66 | virtual Status enumerateDenylistedHosts( 67 | bool (*callback)(const std::string& host, void* user_defined), 68 | void* user_defined) = 0; 69 | }; 70 | 71 | IFirewall::Status CreateFirewallObject(std::unique_ptr& obj); 72 | } // namespace trailofbits 73 | -------------------------------------------------------------------------------- /libraries/firewall/linux/tests/main.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | 19 | GTEST_API_ int main(int argc, char** argv) { 20 | testing::InitGoogleTest(&argc, argv); 21 | return RUN_ALL_TESTS(); 22 | } 23 | -------------------------------------------------------------------------------- /libraries/firewall/macos/tests/main.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | 19 | GTEST_API_ int main(int argc, char** argv) { 20 | testing::InitGoogleTest(&argc, argv); 21 | return RUN_ALL_TESTS(); 22 | } 23 | -------------------------------------------------------------------------------- /libraries/firewall/windows/src/firewall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | 10 | #include 11 | 12 | namespace trailofbits { 13 | class Firewall final : public IFirewall { 14 | public: 15 | static Status create(std::unique_ptr& obj); 16 | virtual ~Firewall(); 17 | 18 | virtual Status addPortToDenylist(std::uint16_t port, 19 | TrafficDirection direction, 20 | Protocol protocol) override; 21 | 22 | virtual Status removePortFromDenylist(std::uint16_t port, 23 | TrafficDirection direction, 24 | Protocol protocol) override; 25 | 26 | virtual Status enumerateDenylistedPorts( 27 | bool (*callback)(std::uint16_t port, 28 | TrafficDirection direction, 29 | Protocol protocol, 30 | void* user_defined), 31 | void* user_defined) override; 32 | 33 | virtual Status addHostToDenylist(const std::string& host) override; 34 | virtual Status removeHostFromDenylist(const std::string& host) override; 35 | 36 | virtual Status enumerateDenylistedHosts( 37 | bool (*callback)(const std::string& host, void* user_defined), 38 | void* user_defined) override; 39 | 40 | private: 41 | struct PrivateData; 42 | std::unique_ptr d; 43 | 44 | Firewall(); 45 | 46 | static Status ReadFirewallState(std::string& state); 47 | static void Firewall::getHostBlockRuleNames( 48 | const std::string& state, 49 | const std::string& host, 50 | std::set& rule_names); 51 | 52 | public: 53 | struct PortRule final { 54 | std::uint16_t port; 55 | TrafficDirection direction; 56 | Protocol protocol; 57 | std::string name; 58 | }; 59 | 60 | struct IPRule final { 61 | TrafficDirection direction; 62 | std::string address; 63 | }; 64 | 65 | using Rule = boost::variant; 66 | 67 | typedef std::set HostSet; 68 | 69 | static void ParseFirewallState(std::vector& port_rules, 70 | HostSet& blocked_hosts, 71 | const std::string& state); 72 | static bool ParseFirewallRuleBlock(std::stringstream& stream, 73 | const std::string& rule_name, 74 | Rule& rule); 75 | }; 76 | 77 | Firewall::Status CreateFirewallObject(std::unique_ptr& obj); 78 | } // namespace trailofbits 79 | -------------------------------------------------------------------------------- /libraries/firewall/windows/tests/main.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | 19 | GTEST_API_ int main(int argc, char** argv) { 20 | testing::InitGoogleTest(&argc, argv); 21 | return RUN_ALL_TESTS(); 22 | } 23 | -------------------------------------------------------------------------------- /libraries/hostsfile/.platforms: -------------------------------------------------------------------------------- 1 | LINUX 2 | WINDOWS 3 | APPLE -------------------------------------------------------------------------------- /libraries/hostsfile/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.10.0) 16 | project(hostsfile) 17 | 18 | function(main) 19 | set(project_source_files 20 | src/hostsfile.h 21 | src/hostsfile.cpp 22 | ) 23 | 24 | set(project_public_include_folder "${CMAKE_CURRENT_SOURCE_DIR}/include") 25 | 26 | list(APPEND project_source_files 27 | "${project_public_include_folder}/trailofbits/ihostsfile.h" 28 | ) 29 | 30 | add_library("${PROJECT_NAME}" STATIC ${project_source_files}) 31 | target_include_directories("${PROJECT_NAME}" PUBLIC "${project_public_include_folder}") 32 | target_link_libraries("${PROJECT_NAME}" PUBLIC extutils) 33 | 34 | set( 35 | project_test_files 36 | 37 | tests/main.cpp 38 | 39 | src/hostsfile.h 40 | src/hostsfile.cpp 41 | tests/hostsfile.cpp 42 | ) 43 | 44 | AddTest("${PROJECT_NAME}" test_target_name ${project_test_files}) 45 | 46 | target_include_directories("${test_target_name}" PRIVATE 47 | "${project_public_include_folder}" 48 | "${CMAKE_CURRENT_SOURCE_DIR}/src" 49 | ) 50 | 51 | target_link_libraries("${test_target_name}" PRIVATE 52 | extutils 53 | ) 54 | 55 | # target_link_libraries("${test_target_name}" PRIVATE extutils) 56 | endfunction() 57 | 58 | main() 59 | -------------------------------------------------------------------------------- /libraries/hostsfile/include/trailofbits/ihostsfile.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #include 22 | #include 23 | 24 | #include 25 | 26 | namespace trailofbits { 27 | class IHostsFile : private boost::noncopyable { 28 | public: 29 | enum class Detail { 30 | Undetermined, 31 | MemoryAllocationError, 32 | AlreadyExists, 33 | NotFound, 34 | IOError 35 | }; 36 | 37 | using Status = IStatus; 38 | 39 | virtual ~IHostsFile() = default; 40 | 41 | virtual Status addHost(const std::string& domain, 42 | const std::string& address) = 0; 43 | 44 | virtual Status removeHost(const std::string& domain) = 0; 45 | 46 | virtual Status enumerateHosts(bool (*callback)(const std::string& domain, 47 | const std::string& address, 48 | void* user_defined), 49 | void* user_defined) = 0; 50 | }; 51 | 52 | IHostsFile::Status CreateHostsFileObject(std::unique_ptr& obj); 53 | } // namespace trailofbits 54 | -------------------------------------------------------------------------------- /libraries/hostsfile/src/hostsfile.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #include 22 | #include 23 | 24 | namespace trailofbits { 25 | using HostsFileData = std::unordered_map>; 26 | 27 | class HostsFile final : public IHostsFile { 28 | public: 29 | static Status create(std::unique_ptr& obj); 30 | virtual ~HostsFile(); 31 | 32 | virtual Status addHost(const std::string& domain, 33 | const std::string& address) override; 34 | 35 | virtual Status removeHost(const std::string& domain) override; 36 | 37 | virtual Status enumerateHosts(bool (*callback)(const std::string& domain, 38 | const std::string& address, 39 | void* user_defined), 40 | void* user_defined) override; 41 | 42 | private: 43 | HostsFile(); 44 | 45 | static bool ReadHostsFile(HostsFileData& data); 46 | 47 | static bool CopyFile_(const std::string& source_path, 48 | const std::string& dest_path); 49 | static bool MoveFile_(const std::string& source_path, 50 | const std::string& dest_path); 51 | 52 | private: 53 | struct PrivateData; 54 | std::unique_ptr d; 55 | 56 | public: 57 | static bool ParseHostsFileLine(std::string& address, 58 | std::set& domain_list, 59 | const std::string& line); 60 | }; 61 | 62 | IHostsFile::Status CreateHostsFileObject(std::unique_ptr& obj); 63 | } // namespace trailofbits 64 | -------------------------------------------------------------------------------- /libraries/hostsfile/tests/hostsfile.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "hostsfile.h" 18 | 19 | #include 20 | 21 | #include 22 | 23 | namespace trailofbits { 24 | TEST(HostsFileTests, ParseHostsFileLine) { 25 | std::vector test_input = { 26 | "# test", 27 | "1.2.3.4 temp # this is a comment!", 28 | "5.6.7.8 test1 test2 test3 test4", 29 | "", 30 | "9.10.11.12\t\ttest5"}; 31 | 32 | std::vector expected_output = { 33 | "1.2.3.4: temp", 34 | "5.6.7.8: test1, test2, test3, test4", 35 | "9.10.11.12: test5"}; 36 | 37 | std::vector actual_output; 38 | 39 | for (const auto& line : test_input) { 40 | std::string address; 41 | std::set domain_list; 42 | 43 | if (HostsFile::ParseHostsFileLine(address, domain_list, line)) { 44 | std::stringstream stream; 45 | stream << address << ": "; 46 | 47 | for (auto it = domain_list.begin(); it != domain_list.end(); it++) { 48 | const auto& domain = *it; 49 | 50 | stream << domain; 51 | if (std::next(it, 1) != domain_list.end()) { 52 | stream << ", "; 53 | } 54 | } 55 | 56 | actual_output.push_back(stream.str()); 57 | } 58 | } 59 | 60 | EXPECT_EQ(expected_output.size(), actual_output.size()); 61 | 62 | for (auto i = 0U; i < expected_output.size(); i++) { 63 | EXPECT_EQ(expected_output.at(i), actual_output.at(i)); 64 | } 65 | } 66 | } // namespace trailofbits 67 | -------------------------------------------------------------------------------- /libraries/hostsfile/tests/main.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | 19 | GTEST_API_ int main(int argc, char** argv) { 20 | testing::InitGoogleTest(&argc, argv); 21 | return RUN_ALL_TESTS(); 22 | } 23 | -------------------------------------------------------------------------------- /libraries/pubsub/.platforms: -------------------------------------------------------------------------------- 1 | LINUX 2 | -------------------------------------------------------------------------------- /libraries/pubsub/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.12) 16 | project(pubsub) 17 | 18 | function(pubsubMain) 19 | 20 | set(public_include_folder "${CMAKE_CURRENT_SOURCE_DIR}/include") 21 | 22 | set(source_files 23 | src/publisherregistry.cpp 24 | src/subscriberregistry.cpp 25 | src/servicemanager.cpp 26 | 27 | src/eventbufferlibrary.cpp 28 | src/publisherscheduler.cpp 29 | src/configurationfile.cpp 30 | ) 31 | 32 | set(public_include_files 33 | "${public_include_folder}/pubsub/servicemanager.h" 34 | 35 | "${public_include_folder}/pubsub/ieventpublisher.h" 36 | "${public_include_folder}/pubsub/ieventsubscriber.h" 37 | 38 | "${public_include_folder}/pubsub/baseeventpublisher.h" 39 | "${public_include_folder}/pubsub/baseeventsubscriber.h" 40 | 41 | "${public_include_folder}/pubsub/publisherregistry.h" 42 | "${public_include_folder}/pubsub/subscriberregistry.h" 43 | 44 | "${public_include_folder}/pubsub/eventbufferlibrary.h" 45 | "${public_include_folder}/pubsub/publisherscheduler.h" 46 | "${public_include_folder}/pubsub/configurationfile.h" 47 | ) 48 | 49 | add_library("${PROJECT_NAME}" STATIC ${source_files} ${public_include_files}) 50 | 51 | target_include_directories("${PROJECT_NAME}" PUBLIC 52 | "${public_include_folder}" 53 | "${TOB_EXTENSIONS_ROOT}" 54 | ) 55 | 56 | set(compile_options 57 | -Werror -Wconversion -Wall -pedantic -Wunused 58 | ) 59 | 60 | if("${CMAKE_BUILD_TYPE}" STREQUAL "Debug" OR "${CMAKE_BUILD_TYPE}" STREQUAL "RelWithDebInfo") 61 | list(APPEND compile_options -g3) 62 | endif() 63 | 64 | target_compile_options("${PROJECT_NAME}" PRIVATE ${compile_options}) 65 | 66 | find_package(Threads) 67 | list(APPEND libraries ${CMAKE_THREAD_LIBS_INIT}) 68 | 69 | ImportDependency("json11") 70 | list(APPEND libraries json11) 71 | 72 | target_link_libraries("${PROJECT_NAME}" PUBLIC 73 | ${libraries} 74 | osquery_sdk_pluginsdk 75 | thirdparty_boost 76 | ) 77 | endfunction() 78 | 79 | pubsubMain() 80 | -------------------------------------------------------------------------------- /libraries/pubsub/include/pubsub/baseeventsubscriber.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include "baseeventsubscriber.h" 20 | #include "ieventsubscriber.h" 21 | 22 | #include 23 | 24 | namespace trailofbits { 25 | /// Event subscribers use this as a base class 26 | template 27 | class BaseEventSubscriber : public IEventSubscriber { 28 | public: 29 | /// Called each time the configuration changes 30 | virtual osquery::Status configure( 31 | typename EventPublisher::SubscriptionContextRef subscription_context, 32 | const json11::Json& configuration) noexcept = 0; 33 | 34 | /// This method is called by the publishers when there is new data to be 35 | /// processed 36 | virtual osquery::Status callback( 37 | osquery::TableRows& new_events, 38 | typename EventPublisher::SubscriptionContextRef subscription_context, 39 | typename EventPublisher::EventContextRef event_context) = 0; 40 | }; 41 | } // namespace trailofbits 42 | -------------------------------------------------------------------------------- /libraries/pubsub/include/pubsub/configurationfile.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #include 25 | 26 | namespace trailofbits { 27 | class ConfigurationFile; 28 | 29 | /// A reference to a ConfigurationFile object 30 | using ConfigurationFileRef = std::shared_ptr; 31 | 32 | /// A configuration file handle 33 | using ConfigurationFileHandle = std::uint64_t; 34 | 35 | /// The configuration file is used to load and monitor a single json-based 36 | /// configuration file 37 | class ConfigurationFile final { 38 | struct PrivateData; 39 | 40 | /// Private class data 41 | std::unique_ptr d; 42 | 43 | /// Private constructor; use ::create() instead 44 | ConfigurationFile(const std::string& configuration_file_path); 45 | 46 | /// Reloads the configuration from disk 47 | void updateConfiguration(); 48 | 49 | public: 50 | /// Factory method 51 | static osquery::Status create(ConfigurationFileRef& configuration_file, 52 | const std::string& configuration_file_path); 53 | 54 | /// Destructor 55 | ConfigurationFile() = default; 56 | 57 | /// Creates a new handle that can be used to acquire new configurations 58 | ConfigurationFileHandle getHandle(); 59 | 60 | /// Returns true if the configuration has been changed 61 | bool configurationChanged(ConfigurationFileHandle handle); 62 | 63 | /// Returns the new configuration, if ::configurationChanged() returned true 64 | json11::Json getConfiguration(ConfigurationFileHandle handle); 65 | 66 | /// Disable the copy constructor 67 | ConfigurationFile(const ConfigurationFile& other) = delete; 68 | 69 | /// Disable the assignment operator 70 | ConfigurationFile& operator=(const ConfigurationFile& other) = delete; 71 | }; 72 | } // namespace trailofbits 73 | -------------------------------------------------------------------------------- /libraries/pubsub/include/pubsub/eventbufferlibrary.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #pragma clang diagnostic push 22 | #pragma clang diagnostic ignored "-Wsign-conversion" 23 | #include 24 | #pragma clang diagnostic pop 25 | #include 26 | 27 | namespace trailofbits { 28 | /// An event batch is just a list of rows that will get returned to osquery 29 | /// during the ::generate() table callback 30 | using EventBatch = std::vector; 31 | 32 | /// This singleton is used to create or acquire existing event buffers 33 | class EventBufferLibrary final { 34 | struct PrivateData; 35 | 36 | /// Private class data 37 | std::unique_ptr d; 38 | 39 | /// Private constructor; use ::instance() instead 40 | EventBufferLibrary(); 41 | 42 | public: 43 | /// Returns an instance of the class 44 | static EventBufferLibrary& instance(); 45 | 46 | /// Destructor 47 | ~EventBufferLibrary(); 48 | 49 | /// Saves the given events into the specified buffer 50 | void saveEvents(EventBatch& events, const std::string& buffer_name); 51 | 52 | /// Returns the events stored into the specifed buffer 53 | EventBatch getEvents(const std::string& buffer_name); 54 | 55 | /// Disable the copy constructor 56 | EventBufferLibrary(const EventBufferLibrary& other) = delete; 57 | 58 | /// Disable the assignment operator 59 | EventBufferLibrary& operator=(const EventBufferLibrary& other) = delete; 60 | }; 61 | } // namespace trailofbits 62 | -------------------------------------------------------------------------------- /libraries/pubsub/include/pubsub/ieventpublisher.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include "ieventsubscriber.h" 20 | 21 | #include 22 | 23 | #include 24 | 25 | namespace trailofbits { 26 | /// Common base class for event publishers 27 | class IEventPublisher { 28 | public: 29 | /// Subscribers the specified object to events emitted by this publisher 30 | virtual osquery::Status subscribe(IEventSubscriberRef subscriber) = 0; 31 | 32 | /// Unsubscribes the specified object 33 | virtual void unsubscribe(IEventSubscriberRef subscriber) = 0; 34 | 35 | /// One-time initialization 36 | virtual osquery::Status initialize() noexcept = 0; 37 | 38 | /// Called each time the configuration changes 39 | virtual osquery::Status configure( 40 | const json11::Json& configuration) noexcept = 0; 41 | 42 | /// Forwards the configuration change to the subscribers 43 | virtual void configureSubscribers( 44 | const json11::Json& configuration) noexcept = 0; 45 | 46 | /// One-time deinitialization 47 | virtual osquery::Status release() noexcept = 0; 48 | 49 | /// Worker method; should perform some work and then return 50 | virtual osquery::Status run() noexcept = 0; 51 | 52 | /// Returns the amount of active subscribers 53 | virtual std::size_t subscriptionCount() noexcept = 0; 54 | 55 | /// Destructor 56 | virtual ~IEventPublisher() = default; 57 | }; 58 | 59 | /// A reference to an event publisher 60 | using IEventPublisherRef = std::shared_ptr; 61 | } // namespace trailofbits 62 | -------------------------------------------------------------------------------- /libraries/pubsub/include/pubsub/ieventsubscriber.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include "configurationfile.h" 20 | 21 | #include 22 | 23 | #include 24 | 25 | namespace trailofbits { 26 | /// Common base class for event subscribers 27 | class IEventSubscriber { 28 | public: 29 | /// One-time initialization 30 | virtual osquery::Status initialize() noexcept = 0; 31 | 32 | /// One-time deinitialization 33 | virtual void release() noexcept = 0; 34 | 35 | /// Destructor 36 | virtual ~IEventSubscriber() = default; 37 | }; 38 | 39 | /// A reference to an event subscriber 40 | using IEventSubscriberRef = std::shared_ptr; 41 | } // namespace trailofbits 42 | -------------------------------------------------------------------------------- /libraries/pubsub/include/pubsub/publisherregistry.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #pragma clang diagnostic push 20 | #pragma clang diagnostic ignored "-Wsign-conversion" 21 | #include "baseeventpublisher.h" 22 | #pragma clang diagnostic pop 23 | 24 | #include 25 | #include 26 | #include 27 | 28 | namespace trailofbits { 29 | /// This is the type of the factory function that event publishers should 30 | /// implement as a static method 31 | using EventPublisherFactoryFunction = 32 | osquery::Status (*)(IEventPublisherRef& publisher); 33 | 34 | /// The publisher registry, used to keep track all the event publishers that 35 | /// have been declared 36 | class PublisherRegistry final { 37 | struct PrivateData; 38 | 39 | /// Private class data 40 | std::unique_ptr d; 41 | 42 | /// Private constructpr; use get() instead 43 | PublisherRegistry(); 44 | 45 | public: 46 | /// Returns the name for the specified publisher 47 | std::string publisherName(IEventPublisherRef publisher); 48 | 49 | /// Destructor 50 | ~PublisherRegistry(); 51 | 52 | /// Registers the given factory function for the specified publisher 53 | static osquery::Status declare( 54 | const std::string& name, EventPublisherFactoryFunction factory_function); 55 | 56 | /// Returns an instance of the PublisherRegistry 57 | static PublisherRegistry& instance(); 58 | 59 | /// Returns the specified event publisher 60 | osquery::Status get(IEventPublisherRef& publisher, const std::string& name); 61 | 62 | // Releases the specified event publisher 63 | osquery::Status release(const std::string& name); 64 | 65 | /// Returns a list of active publishers 66 | std::vector activePublishers(); 67 | }; 68 | 69 | // clang-format off 70 | #define TOB_DECLARE_PUBLISHER(publisher_class) \ 71 | namespace { \ 72 | static auto publisher_manager_helper_ ## publisher_class = \ 73 | PublisherRegistry::declare(publisher_class::name(), publisher_class::create); \ 74 | } 75 | // clang-format on 76 | } // namespace trailofbits 77 | -------------------------------------------------------------------------------- /libraries/pubsub/include/pubsub/publisherscheduler.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include "ieventpublisher.h" 20 | 21 | #include 22 | #include 23 | #include 24 | 25 | namespace trailofbits { 26 | class PublisherScheduler; 27 | 28 | /// A reference to a PublisherScheduler instance 29 | using PublisherSchedulerRef = std::unique_ptr; 30 | 31 | /// This class is responsible for allocating, configuring, running 32 | /// and deinitializing all the registered event publishers 33 | class PublisherScheduler final { 34 | struct PrivateData; 35 | 36 | /// Private class data 37 | std::unique_ptr d; 38 | 39 | /// Private constructor; use ::create() instead 40 | PublisherScheduler(std::vector publisher_list); 41 | 42 | public: 43 | /// Creates a new instance of this class 44 | static osquery::Status create( 45 | PublisherSchedulerRef& publisher_scheduler, 46 | const std::vector& publisher_list); 47 | 48 | /// Destructor 49 | ~PublisherScheduler(); 50 | 51 | /// Starts the publisher threads 52 | osquery::Status start(ConfigurationFileRef configuration_file); 53 | 54 | /// Terminates the publishers 55 | void stop(); 56 | 57 | /// Disable the copy constructor 58 | PublisherScheduler(const PublisherScheduler& other) = delete; 59 | 60 | /// Disable the assignment operator 61 | PublisherScheduler& operator=(const PublisherScheduler& other) = delete; 62 | }; 63 | } // namespace trailofbits 64 | -------------------------------------------------------------------------------- /libraries/pubsub/include/pubsub/subscriberregistry.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include "baseeventsubscriber.h" 20 | 21 | #include 22 | #include 23 | #include 24 | 25 | namespace trailofbits { 26 | /// This is the type of the factory function that event subscribers should 27 | /// implement as a static method 28 | using EventSubscriberFactoryFunction = 29 | osquery::Status (*)(IEventSubscriberRef& subscriber); 30 | 31 | /// The subscriber registry, used to keep track all the event subscribers that 32 | /// have been declared 33 | class SubscriberRegistry final { 34 | struct PrivateData; 35 | 36 | /// Private class data 37 | std::unique_ptr d; 38 | 39 | /// Private constructor; use get() instead 40 | SubscriberRegistry(); 41 | 42 | public: 43 | /// Returns the name for the specified subscriber 44 | std::string subscriberName(IEventSubscriberRef subscriber); 45 | 46 | /// Destructor 47 | ~SubscriberRegistry(); 48 | 49 | /// Registers the given factory function for the specified subscriber 50 | static osquery::Status declare( 51 | const std::string& publisher_name, 52 | const std::string& name, 53 | EventSubscriberFactoryFunction factory_function); 54 | 55 | /// Returns an instance of the SubscriberRegistry 56 | static SubscriberRegistry& instance(); 57 | 58 | /// Initializes all subscribers and the required publishers 59 | osquery::Status initialize(); 60 | 61 | /// Releases all subscribers and associated publishers 62 | osquery::Status release(); 63 | }; 64 | 65 | // clang-format off 66 | #define DECLARE_SUBSCRIBER(publisher_class, subscriber_class) \ 67 | namespace { \ 68 | static auto subscriber_manager_helper_ ## subscriber_class = \ 69 | SubscriberRegistry::declare(publisher_class::name(), subscriber_class::name(), subscriber_class::create); \ 70 | } 71 | // clang-format on 72 | } // namespace trailofbits 73 | -------------------------------------------------------------------------------- /libraries/pubsub/include/pubsub/table_generator.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "eventbufferlibrary.h" 4 | 5 | #include 6 | 7 | // clang-format off 8 | #define BEGIN_TABLE(name) \ 9 | class name ## TablePlugin final : public osquery::TablePlugin { \ 10 | public: \ 11 | name ## TablePlugin() = default; \ 12 | virtual ~name ## TablePlugin() override; \ 13 | \ 14 | virtual osquery::TableRows generate(osquery::QueryContext&) override { \ 15 | return EventBufferLibrary::instance().getEvents(#name); \ 16 | } \ 17 | \ 18 | virtual osquery::TableColumns columns() const override { \ 19 | static const osquery::TableColumns schema = { 20 | // clang-format on 21 | 22 | // clang-format off 23 | #define TABLE_COLUMN(name, type) \ 24 | std::make_tuple(#name, type, osquery::ColumnOptions::DEFAULT), 25 | // clang-format on 26 | 27 | // clang-format off 28 | #define END_TABLE(name) \ 29 | }; \ 30 | return schema; \ 31 | } \ 32 | }; \ 33 | \ 34 | name ## TablePlugin::~name ## TablePlugin() {}; \ 35 | \ 36 | REGISTER_EXTERNAL(name ## TablePlugin, "table", #name) 37 | // clang-format on 38 | -------------------------------------------------------------------------------- /libraries/pubsub/src/servicemanager.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | 19 | #include 20 | 21 | #include 22 | 23 | namespace trailofbits { 24 | ServiceManager::ServiceManager() {} 25 | 26 | ServiceManager& ServiceManager::instance() { 27 | static ServiceManager obj; 28 | return obj; 29 | } 30 | 31 | ServiceManager::~ServiceManager() {} 32 | 33 | void ServiceManager::stop() { 34 | std::lock_guard lock(service_list_mutex); 35 | 36 | terminate = true; 37 | 38 | for (auto& service_descriptor : service_list) { 39 | service_descriptor.thread_ref->join(); 40 | service_descriptor.service_ref->release(); 41 | } 42 | 43 | service_list.clear(); 44 | } 45 | 46 | bool IService::shouldTerminate() const { 47 | assert(terminate != nullptr && "IService::terminate set to nullptr"); 48 | return terminate->load(); 49 | } 50 | 51 | osquery::Status IService::initialize() { 52 | return osquery::Status(0); 53 | } 54 | 55 | void IService::release() {} 56 | 57 | } // namespace trailofbits 58 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/.platforms: -------------------------------------------------------------------------------- 1 | WINDOWS -------------------------------------------------------------------------------- /libraries/tsk_builtin/BUILD_NOTES: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trailofbits/osquery-extensions/3df2b72ad78549e25344c79dbc9bce6808c4d92a/libraries/tsk_builtin/BUILD_NOTES -------------------------------------------------------------------------------- /libraries/tsk_builtin/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.10) 16 | project(tsk_builtin) 17 | 18 | function(main) 19 | add_library("${PROJECT_NAME}" STATIC IMPORTED GLOBAL) 20 | 21 | set_property(TARGET "${PROJECT_NAME}" PROPERTY IMPORTED_LOCATION "${CMAKE_CURRENT_SOURCE_DIR}/lib/libtsk.lib") 22 | set_property(TARGET "${PROJECT_NAME}" PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_CURRENT_SOURCE_DIR}/include") 23 | endfunction() 24 | 25 | main() 26 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/Makefile.am: -------------------------------------------------------------------------------- 1 | # Compile the sub directories 2 | SUBDIRS = base img vs fs hashdb auto 3 | 4 | # Merge the libraries into one 5 | lib_LTLIBRARIES = libtsk.la 6 | libtsk_la_SOURCES = 7 | libtsk_la_LIBADD = base/libtskbase.la img/libtskimg.la \ 8 | vs/libtskvs.la fs/libtskfs.la hashdb/libtskhashdb.la \ 9 | auto/libtskauto.la 10 | # current:revision:age 11 | libtsk_la_LDFLAGS = -version-info 17:1:4 $(LIBTSK_LDFLAGS) 12 | 13 | EXTRA_DIST = tsk_tools_i.h docs/Doxyfile docs/*.dox docs/*.html 14 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/auto/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nlp -nut 2 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/auto/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CPPFLAGS = -I../.. -I$(srcdir)/../.. -Wall -Wmultichar -Wstrict-null-sentinel -Woverloaded-virtual -Wsign-promo 2 | EXTRA_DIST = .indent.pro 3 | 4 | noinst_LTLIBRARIES = libtskauto.la 5 | # Note that the .h files are in the top-level Makefile 6 | libtskauto_la_SOURCES = auto.cpp auto_db.cpp db_sqlite.cpp \ 7 | db_postgresql.cpp case_db.cpp guid.cpp tsk_db.cpp tsk_case_db.h \ 8 | tsk_auto.h tsk_auto_i.h tsk_case_db.h tsk_db.h tsk_db_sqlite.h \ 9 | tsk_db_postgresql.h db_connection_info.h guid.h is_image_supported.cpp \ 10 | tsk_is_image_supported.h 11 | 12 | # Compile the bundled sqlite3 if there isn't an existing lib to use 13 | if !HAVE_LIBSQLITE3 14 | libtskauto_la_SOURCES += sqlite3.c sqlite3.h 15 | endif 16 | 17 | indent: 18 | indent *.cpp *.h 19 | 20 | clean-local: 21 | -rm -f *.cpp~ *.h~ 22 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/auto/db_connection_info.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** The Sleuth Kit 3 | ** 4 | ** Brian Carrier [carrier sleuthkit [dot] org] 5 | ** Copyright (c) 2010-2013 Brian Carrier. All Rights reserved 6 | ** 7 | ** This software is distributed under the Common Public License 1.0 8 | ** 9 | */ 10 | 11 | /** 12 | * \file db_connection_info.h 13 | * Contains multi-user database connection information. 14 | */ 15 | 16 | #ifndef _DB_CONNECTION_INFO_H 17 | #define _DB_CONNECTION_INFO_H 18 | 19 | #include 20 | using std::string; 21 | 22 | class CaseDbConnectionInfo 23 | { 24 | public: 25 | 26 | enum DbType 27 | { 28 | // Add any additional remote database types here, and keep it in sync 29 | // with the JNI version of this enum located at: 30 | // sleuthkit/bindings/java/src/org/sleuthkit/datamodel/TskData.java 31 | // Be sure to add to settingsValid() if you add a type here. 32 | UNKNOWN = 0, 33 | POSTGRESQL = 1 34 | }; 35 | 36 | private: 37 | string hostNameOrIP; 38 | string portNumber; 39 | string userName; 40 | string password; 41 | DbType dbType; 42 | 43 | public: 44 | 45 | CaseDbConnectionInfo(string lhostNameOrIP, string lportNumber, string luserName, string lpassword, DbType ldbType) { 46 | this->hostNameOrIP = lhostNameOrIP; 47 | this->portNumber = lportNumber; 48 | this->userName = luserName; 49 | this->password = lpassword; 50 | this->dbType = ldbType; 51 | } 52 | 53 | DbType getDbType() { 54 | return this->dbType; 55 | } 56 | 57 | string getHost() { 58 | return this->hostNameOrIP; 59 | } 60 | 61 | string getPort() { 62 | return this->portNumber; 63 | } 64 | 65 | string getUserName() { 66 | return this->userName; 67 | } 68 | 69 | string getPassword() { 70 | return this->password; 71 | } 72 | }; 73 | 74 | #endif //_DB_CONNECTION_INFO_H -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/auto/is_image_supported.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | ** The Sleuth Kit 3 | ** 4 | ** Brian Carrier [carrier sleuthkit [dot] org] 5 | ** Copyright (c) 2010-2013 Brian Carrier. All Rights reserved 6 | ** 7 | ** This software is distributed under the Common Public License 1.0 8 | ** 9 | */ 10 | 11 | /** 12 | * \file tsk_is_image_supported.cpp 13 | * Class to test whether a given image can be processed by tsk 14 | * 15 | * Usage: 16 | * Create a TskIsImageSupported object 17 | * Call openImage 18 | * Call findFilesInImg 19 | * Call isImageSupported - if this returns true then the image is supported. If false or 20 | * if there was an error along the way, the image is not supported 21 | */ 22 | 23 | #include "tsk_is_image_supported.h" 24 | 25 | TskIsImageSupported::TskIsImageSupported() 26 | { 27 | m_wasDataFound = false; 28 | } 29 | 30 | bool TskIsImageSupported::isImageSupported() 31 | { 32 | return m_wasDataFound ; 33 | } 34 | 35 | 36 | uint8_t TskIsImageSupported::handleError() 37 | { 38 | // we don't care about errors for this use case 39 | //fprintf(stderr, "%s", tsk_error_get()); 40 | return 0; 41 | } 42 | 43 | 44 | TSK_RETVAL_ENUM TskIsImageSupported::processFile(TSK_FS_FILE * fs_file, const char *path) 45 | { 46 | return TSK_OK; 47 | } 48 | 49 | 50 | TSK_FILTER_ENUM 51 | TskIsImageSupported::filterFs(TSK_FS_INFO * fs_info) 52 | { 53 | m_wasDataFound = true; 54 | return TSK_FILTER_SKIP; 55 | } 56 | 57 | 58 | TSK_FILTER_ENUM 59 | TskIsImageSupported::filterVol(const TSK_VS_PART_INFO * vs_part) 60 | { 61 | m_wasDataFound = true; 62 | return TSK_FILTER_SKIP; 63 | } -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/auto/tsk_auto_i.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** The Sleuth Kit 3 | ** 4 | ** Brian Carrier [carrier sleuthkit [dot] org] 5 | ** Copyright (c) 2010-2011 Brian Carrier. All Rights reserved 6 | ** 7 | ** This software is distributed under the Common Public License 1.0 8 | ** 9 | */ 10 | 11 | /* 12 | * Contains the internal-only methods/etc that TSK code may need, but that 13 | * does not get exported. This includes the external files too. 14 | */ 15 | 16 | 17 | #ifndef _TSK_AUTO_I_H 18 | #define _TSK_AUTO_I_H 19 | 20 | #ifdef __cplusplus 21 | 22 | // Include the other internal TSK header files 23 | #include "tsk/base/tsk_base_i.h" 24 | #include "tsk/img/tsk_img_i.h" 25 | #include "tsk/vs/tsk_vs_i.h" 26 | #include "tsk/fs/tsk_fs_i.h" 27 | 28 | // Include the external file 29 | #include "tsk_auto.h" 30 | 31 | #endif 32 | 33 | #endif 34 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/auto/tsk_is_image_supported.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** The Sleuth Kit 3 | ** 4 | ** Brian Carrier [carrier sleuthkit [dot] org] 5 | ** Copyright (c) 2010-2013 Brian Carrier. All Rights reserved 6 | ** 7 | ** This software is distributed under the Common Public License 1.0 8 | ** 9 | */ 10 | 11 | /** 12 | * \file tsk_is_image_supported.cpp 13 | * Class to test whether a given image can be processed by tsk 14 | * 15 | * Usage: 16 | * Create a TskIsImageSupported object 17 | * Call openImage 18 | * Call findFilesInImg 19 | * Call isImageSupported - if this returns true then the image is supported. If false or 20 | * if there was an error along the way, the image is not supported 21 | */ 22 | 23 | 24 | #include "tsk/tsk_tools_i.h" 25 | 26 | class TskIsImageSupported:public TskAuto { 27 | public: 28 | TskIsImageSupported(); 29 | virtual TSK_RETVAL_ENUM processFile(TSK_FS_FILE * fs_file, const char *path); 30 | virtual TSK_FILTER_ENUM filterVol(const TSK_VS_PART_INFO * vs_part); 31 | virtual TSK_FILTER_ENUM filterFs(TSK_FS_INFO * fs_info); 32 | virtual uint8_t handleError(); 33 | bool isImageSupported(); 34 | 35 | private: 36 | bool m_wasDataFound; 37 | }; -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/base/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nlp -nut 2 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/base/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CPPFLAGS = -I../.. -Wall 2 | 3 | noinst_LTLIBRARIES = libtskbase.la 4 | libtskbase_la_SOURCES = md5c.c mymalloc.c sha1c.c \ 5 | crc.c crc.h \ 6 | tsk_endian.c tsk_error.c tsk_list.c tsk_parse.c tsk_printf.c \ 7 | tsk_unicode.c tsk_version.c tsk_stack.c XGetopt.c tsk_base_i.h \ 8 | tsk_lock.c tsk_error_win32.cpp 9 | 10 | EXTRA_DIST = .indent.pro 11 | 12 | indent: 13 | indent *.c *.h 14 | 15 | clean-local: 16 | -rm -f *.c~ *.h~ 17 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/base/mymalloc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * 5 | * Brian Carrier [carrier sleuthkit [dot] org] 6 | * Copyright (c) 2006-2011 Brian Carrier, Basis Technology. All rights reserved. 7 | */ 8 | 9 | /** \file mymalloc.c 10 | * These functions allocate and reallocate memory and set the error handling functions 11 | * when an error occurs. 12 | */ 13 | 14 | /* The IBM Public Licence must be distributed with this software. 15 | * AUTHOR(S) 16 | * Wietse Venema 17 | * IBM T.J. Watson Research 18 | * P.O. Box 704 19 | * Yorktown Heights, NY 10598, USA 20 | *--*/ 21 | 22 | #include "tsk_base_i.h" 23 | #include 24 | 25 | /* tsk_malloc - allocate and zero memory and set error values on error 26 | */ 27 | void * 28 | tsk_malloc(size_t len) 29 | { 30 | void *ptr; 31 | 32 | if ((ptr = malloc(len)) == 0) { 33 | tsk_error_reset(); 34 | tsk_error_set_errno(TSK_ERR_AUX_MALLOC); 35 | tsk_error_set_errstr("tsk_malloc: %s (%" PRIuSIZE" requested)", strerror(errno), len); 36 | } 37 | else { 38 | memset(ptr, 0, len); 39 | } 40 | return (ptr); 41 | } 42 | 43 | /* tsk_realloc - reallocate memory and set error values if needed */ 44 | void * 45 | tsk_realloc(void *ptr, size_t len) 46 | { 47 | if ((ptr = realloc(ptr, len)) == 0) { 48 | tsk_error_reset(); 49 | tsk_error_set_errno(TSK_ERR_AUX_MALLOC); 50 | tsk_error_set_errstr("tsk_realloc: %s (%" PRIuSIZE" requested)", strerror(errno), len); 51 | } 52 | return (ptr); 53 | } 54 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/base/tsk_error_win32.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2010-2011 Brian Carrier. All Rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | */ 9 | 10 | 11 | #include "tsk_base_i.h" 12 | 13 | #ifdef TSK_WIN32 14 | 15 | 16 | #include 17 | 18 | namespace tsk { 19 | 20 | class GetTlsIndex { 21 | public: 22 | GetTlsIndex() { 23 | tlsIndex = TlsAlloc(); 24 | } 25 | 26 | ~GetTlsIndex() { 27 | TlsFree(tlsIndex); 28 | } 29 | 30 | DWORD GetIndex() { 31 | return tlsIndex; 32 | } 33 | private: 34 | static DWORD tlsIndex; 35 | }; 36 | 37 | DWORD GetTlsIndex::tlsIndex; 38 | static GetTlsIndex getTlsIndex; 39 | } 40 | 41 | /* 42 | * There's no destructor model in Win32 as with pthreads. 43 | * A DLLMain could do the job, but we're not a DLL. 44 | */ 45 | extern "C" 46 | void *tsk_error_win32_get_per_thread_(unsigned struct_size) { 47 | 48 | DWORD index = tsk::getTlsIndex.GetIndex(); 49 | void *ptr = TlsGetValue( index ); 50 | if (ptr == 0) { 51 | ptr = malloc(struct_size); 52 | memset(ptr, 0, struct_size); 53 | TlsSetValue(index, ptr); 54 | } 55 | return ptr; 56 | } 57 | 58 | /* 59 | * Threads must call this on exit to avoid a leak. 60 | */ 61 | extern "C" 62 | void tsk_error_win32_thread_cleanup() { 63 | 64 | DWORD index = tsk::getTlsIndex.GetIndex(); 65 | void *ptr = TlsGetValue(index); 66 | if (ptr != 0) { 67 | free(ptr); 68 | TlsSetValue(index, 0); 69 | } 70 | } 71 | 72 | 73 | #endif /*TSK_WIN32*/ 74 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/base/tsk_version.c: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2007-2011 Brian Carrier. All rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | */ 9 | 10 | /** \file tsk_version.c 11 | * Contains functions to print and obtain the library version. 12 | */ 13 | 14 | #include "tsk_base_i.h" 15 | 16 | /** 17 | * \ingroup baselib 18 | * Print the library name and version to a handle (such as "The Sleuth Kit ver 1.00"). 19 | * @param hFile Handle to print to 20 | */ 21 | void 22 | tsk_version_print(FILE * hFile) 23 | { 24 | tsk_fprintf(hFile, "The Sleuth Kit ver %s\n", TSK_VERSION_STR); 25 | return; 26 | } 27 | 28 | /** 29 | * \ingroup baselib 30 | * Return the library version as a string. 31 | * @returns String version of version (1.00 for example) 32 | */ 33 | const char * 34 | tsk_version_get_str() 35 | { 36 | return TSK_VERSION_STR; 37 | } 38 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/docs/cpp.dox: -------------------------------------------------------------------------------- 1 | /*! \page cpppage C++ Classes 2 | 3 | This section provides a high-level overview of the C++ classes that 4 | wrap around the C structs and functions. The C++ interface can be 5 | used when the rest of your program is in C++ and when you want to 6 | ensure that the proper locks and thread-safe mechanisms are used 7 | in a multi-threaded environment. TSK contains locks to make it 8 | thread safe, but the C interface allows a thread to modify data in 9 | a shared structure without obtaining the proper lock. 10 | 11 | Note that the C++ interfaces simply create and use C structs behind 12 | the scenes. Therefore, the methods are very similar to the C 13 | functions. References to the C++ classes were given in earlier 14 | sections of the User's Guide. It is assumed that the user has read 15 | the preceding sections of the User's Guide to get an understanding of 16 | what TSK is capable of doing. This section provides references and links 17 | to the main C++ classes. 18 | 19 | 20 | \section cpp_basics Basics 21 | The first step is to open the image with the TskImgInfo class. This class allows you to read from the disk image. See \ref imgpage for details on the C structs and functions at this layer. 22 | 23 | After the image is open, you can determine the volume system of the image using the TskVsInfo class. It will detect the volume system and provide access to each volume (or partition). The TskVsPartInfo class provides references to the details of each partition. See \ref vspage for details on the C structs and functions at this layer. 24 | 25 | Now that you know the layout of the image, you can open each volume to see what file system it has inside. Use the TskFsInfo class for this. Once you have the file system open, there are many ways to analyze the file system contents. The TskFsBlock class provides access to each block in the file system. The TskFsDir class provides access to each directory and the TskFsFile class provides access to each file. From there, you can access all of the details of the file, including its name info (in TskFsFile) and metadata (in TskFsMeta). Access to all of the file's attributes are provided via the TskFsAttribute class. See \ref fspage for details on the C structs and functions at this layer. 26 | 27 | If you want to automate the entire process and not deal with manually detecting volumes and file systems, consider the TskAuto class. See \ref autopage for more automation details. 28 | 29 | Back to \ref users_guide "Table of Contents" 30 | 31 | */ 32 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/docs/footer.html: -------------------------------------------------------------------------------- 1 |
2 |

Copyright © 2007-2015 Brian Carrier. (carrier -at- sleuthkit -dot- org)
3 | This work is licensed under a 4 | Creative Commons Attribution-Share Alike 3.0 United States License. 5 |

6 | 7 | 8 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/docs/hashdb.dox: -------------------------------------------------------------------------------- 1 | /*! \page hashdbpage Hash Databases 2 | 3 | This section describes some the API functions and concepts associated with the Hash Database library. 4 | 5 | \section hash_over Overview 6 | 7 | Hash databases are frequently used to identify known good and known bad files. Text files of MD5 and SHA-1 hashes can be easily created and shared, but they are frequently not the most efficient to use to use when searching for a hash because they are in an unsorted order. 8 | 9 | The hash database functions in TSK create an index into text file hash databases and allow you to more quickly perform lookups. TSK uses the index to perform binary searches for the hashes (see Informer #6). 10 | 11 | \section hash_open Opening a Hash Database 12 | Before a database can be indexed or searched, it must first be opened. Use the tsk_hdb_open() function to open the database. There is a flag that can be specified to open only the index. This allows you to save storage space by keeping only the index around, but it means that you will not have access to other metadata that is stored in the database. 13 | 14 | The tsk_hdb_open() function will return a TSK_HDB_INFO structure that will be used as a handle to index and search the database. An open hash database can be closed with tsk_hdb_close(). 15 | 16 | This functionality also exists in the TskHdbInfo C++ class. 17 | 18 | \section hash_index Indexing a Hash Database 19 | A single database can have more than one index if the database contains multiple hash types. For example, both MD5 and SHA-1 indexes can be made for the NSRL database. Because multiple indexes can exist, you must specify the type when making or testing for an index. 20 | 21 | You can test if an open hash database has an index by using the tsk_hdb_hasindex(). If you need to create one, use the tsk_hdb_makeindex() function. This process may take several minutes (or longer). 22 | 23 | \section hash_search Searching a Hash Database 24 | An indexed database can be searched using either tsk_hdb_lookup_raw() or tsk_hdb_lookup_str(). The only difference is that tsk_hdb_lookup_raw() takes the hash value as a byte array and tsk_hdb_lookup_str() takes the hash value as a string. 25 | 26 | Both functions can call a callback with details of entries that are found, or the QUICK flag can be given in which case the callback is not called and instead the return value of the function identifies if the hash is in the database or not. 27 | 28 | Next to \ref autopage 29 | 30 | Back to \ref users_guide "Table of Contents" 31 | */ 32 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/docs/main.dox: -------------------------------------------------------------------------------- 1 | /*! \mainpage The Sleuth Kit (TSK) Library User's Guide and API Reference 2 | 3 | \author Brian Carrier 4 | 5 |

Overview

6 | This document was designed to help integrate the Sleuth Kit (TSK) library into an application that needs to analyze data from a disk image. Note that this document does not contain information about using the command line tools in TSK. The command line tools use the functionality of this library, but this document is for programmers who want to use the library. 7 | 8 | There are two main sections to this document. One is the User's Guide that describes the organization of TSK, the APIs, and how to use them together. The other is a list of the API functions and a description of their arguments and return values. 9 | 10 |

User's Guide

11 | \anchor users_guide 12 | The User's Guide describes the various components of TSK and how to use them. It refers to specific functions and data structures with links to the details in the API Reference. 13 | - \subpage basicpage 14 | - \subpage basepage 15 | - \subpage imgpage 16 | - \subpage vspage 17 | - \subpage fspage 18 | - \subpage hashdbpage 19 | - \subpage autopage 20 | - \subpage cpppage 21 | 22 |

API Reference

23 | The API Reference lists the public C and C++ API functions with their arguments and return values. The Users's Guide should be read first so that the interaction and use of the functions are understood. These pages can also be found in the Modules section. 24 | - \ref baselib and \ref baselib_cpp 25 | - \ref imglib and \ref imglib_cpp 26 | - \ref vslib and \ref vslib_cpp 27 | - \ref fslib and \ref fslib_cpp 28 | - \ref hashdblib and \ref hashdblib_cpp 29 | - \ref autolib 30 | 31 | */ 32 | 33 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/fs/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nlp -nut 2 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/fs/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CPPFLAGS = -I../.. -I$(srcdir)/../.. -Wall 2 | EXTRA_DIST = .indent.pro 3 | 4 | noinst_LTLIBRARIES = libtskfs.la 5 | # Note that the .h files are in the top-level Makefile 6 | libtskfs_la_SOURCES = tsk_fs_i.h fs_inode.c fs_io.c fs_block.c fs_open.c \ 7 | fs_name.c fs_dir.c fs_types.c fs_attr.c fs_attrlist.c fs_load.c \ 8 | fs_parse.c fs_file.c \ 9 | unix_misc.c nofs_misc.c \ 10 | ffs.c ffs_dent.c ext2fs.c ext2fs_dent.c ext2fs_journal.c \ 11 | fatfs.c fatfs_meta.c fatfs_dent.cpp \ 12 | fatxxfs.c fatxxfs_meta.c fatxxfs_dent.c \ 13 | exfatfs.c exfatfs_meta.c exfatfs_dent.c \ 14 | fatfs_utils.c \ 15 | ntfs.c ntfs_dent.cpp swapfs.c rawfs.c \ 16 | iso9660.c iso9660_dent.c \ 17 | hfs.c hfs_dent.c hfs_journal.c hfs_unicompare.c lzvn.c lzvn.h \ 18 | dcalc_lib.c dcat_lib.c dls_lib.c dstat_lib.c ffind_lib.c \ 19 | fls_lib.c icat_lib.c ifind_lib.c ils_lib.c usn_journal.c usnjls_lib.c \ 20 | walk_cpp.cpp yaffs.cpp 21 | 22 | indent: 23 | indent *.c *.h 24 | 25 | clean-local: 26 | -rm -f *.c~ *.h~ 27 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/fs/dstat_lib.c: -------------------------------------------------------------------------------- 1 | /* 2 | ** blkstat 3 | ** The Sleuth Kit 4 | ** 5 | ** Get the details about a data unit 6 | ** 7 | ** Brian Carrier [carrier sleuthkit [dot] org] 8 | ** Copyright (c) 2006-2011 Brian Carrier, Basis Technology. All Rights reserved 9 | ** Copyright (c) 2003-2005 Brian Carrier. All rights reserved 10 | ** 11 | ** TASK 12 | ** Copyright (c) 2002 Brian Carrier, @stake Inc. All rights reserved 13 | ** 14 | ** 15 | ** This software is distributed under the Common Public License 1.0 16 | ** 17 | */ 18 | 19 | /** 20 | * \file dstat_lib.c 21 | * Contains the library API functions used by the TSK blkstat command 22 | * line tool. 23 | */ 24 | 25 | #include "tsk_fs_i.h" 26 | 27 | #include "tsk_ffs.h" 28 | #include "tsk_ext2fs.h" 29 | #include "tsk_fatfs.h" 30 | 31 | 32 | static TSK_WALK_RET_ENUM 33 | blkstat_act(const TSK_FS_BLOCK * fs_block, void *ptr) 34 | { 35 | tsk_printf("%s: %" PRIuDADDR "\n", fs_block->fs_info->duname, 36 | fs_block->addr); 37 | tsk_printf("%sAllocated%s\n", 38 | (fs_block->flags & TSK_FS_BLOCK_FLAG_ALLOC) ? "" : "Not ", 39 | (fs_block->flags & TSK_FS_BLOCK_FLAG_META) ? " (Meta)" : ""); 40 | 41 | if (TSK_FS_TYPE_ISFFS(fs_block->fs_info->ftype)) { 42 | FFS_INFO *ffs = (FFS_INFO *) fs_block->fs_info; 43 | tsk_printf("Group: %" PRI_FFSGRP "\n", ffs->grp_num); 44 | } 45 | else if (TSK_FS_TYPE_ISEXT(fs_block->fs_info->ftype)) { 46 | EXT2FS_INFO *ext2fs = (EXT2FS_INFO *) fs_block->fs_info; 47 | if (fs_block->addr >= ext2fs->first_data_block) 48 | tsk_printf("Group: %" PRI_EXT2GRP "\n", ext2fs->grp_num); 49 | } 50 | else if (TSK_FS_TYPE_ISFAT(fs_block->fs_info->ftype)) { 51 | FATFS_INFO *fatfs = (FATFS_INFO *) fs_block->fs_info; 52 | /* Does this have a cluster address? */ 53 | if (fs_block->addr >= fatfs->firstclustsect) { 54 | tsk_printf("Cluster: %" PRIuDADDR "\n", 55 | (2 + (fs_block->addr - 56 | fatfs->firstclustsect) / fatfs->csize)); 57 | } 58 | } 59 | 60 | return TSK_WALK_STOP; 61 | } 62 | 63 | 64 | uint8_t 65 | tsk_fs_blkstat(TSK_FS_INFO * fs, TSK_DADDR_T addr) 66 | { 67 | int flags = 68 | (TSK_FS_BLOCK_WALK_FLAG_UNALLOC | TSK_FS_BLOCK_WALK_FLAG_ALLOC | 69 | TSK_FS_BLOCK_WALK_FLAG_META | TSK_FS_BLOCK_WALK_FLAG_CONT | 70 | TSK_FS_BLOCK_WALK_FLAG_AONLY); 71 | return tsk_fs_block_walk(fs, addr, addr, flags, blkstat_act, NULL); 72 | } 73 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/fs/fs_load.c: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2005-2011 Brian Carrier. All rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | * 9 | */ 10 | 11 | /** \file fs_load.c 12 | * Contains a general file walk callback that can be 13 | * used to load file content into a buffer. 14 | */ 15 | #include "tsk_fs_i.h" 16 | 17 | 18 | /* File Walk Action to load the journal 19 | * TSK_FS_LOAD_FILE is defined in fs_tools.h 20 | */ 21 | 22 | TSK_WALK_RET_ENUM 23 | tsk_fs_load_file_action(TSK_FS_FILE * fs_file, TSK_OFF_T a_off, 24 | TSK_DADDR_T addr, char *buf, size_t size, TSK_FS_BLOCK_FLAG_ENUM flags, 25 | void *ptr) 26 | { 27 | TSK_FS_LOAD_FILE *buf1 = (TSK_FS_LOAD_FILE *) ptr; 28 | size_t cp_size; 29 | 30 | if (size > buf1->left) 31 | cp_size = buf1->left; 32 | else 33 | cp_size = size; 34 | 35 | memcpy(buf1->cur, buf, cp_size); 36 | buf1->left -= cp_size; 37 | buf1->cur = (char *) ((uintptr_t) buf1->cur + cp_size); 38 | 39 | if (buf1->left > 0) 40 | return TSK_WALK_CONT; 41 | else 42 | return TSK_WALK_STOP; 43 | } 44 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/fs/hfs_journal.c: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * This software is distributed under the Common Public License 1.0 5 | */ 6 | 7 | /** 8 | * \file hfs_journal.c 9 | * Contains the internal TSK HFS+ journal code -- not included in code by default. 10 | */ 11 | #include "tsk_fs_i.h" 12 | #include "tsk_hfs.h" 13 | 14 | uint8_t 15 | hfs_jopen(TSK_FS_INFO * fs, TSK_INUM_T inum) 16 | { 17 | tsk_fprintf(stderr, "jopen not implemented for HFS yet"); 18 | 19 | return 0; 20 | } 21 | 22 | uint8_t 23 | hfs_jentry_walk(TSK_FS_INFO * fs, int flags, TSK_FS_JENTRY_WALK_CB action, 24 | void *ptr) 25 | { 26 | tsk_fprintf(stderr, "jentry_walk not implemented for HFS yet"); 27 | 28 | return 0; 29 | } 30 | 31 | uint8_t 32 | hfs_jblk_walk(TSK_FS_INFO * fs, TSK_DADDR_T start, TSK_DADDR_T end, 33 | int flags, TSK_FS_JBLK_WALK_CB action, void *ptr) 34 | { 35 | 36 | tsk_fprintf(stderr, "jblk_walk not implemented for HFS yet"); 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/fs/lzvn.h: -------------------------------------------------------------------------------- 1 | #ifndef LZVN_H 2 | #define LZVN_H 3 | 4 | #include 5 | #include 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | size_t lzvn_decode_buffer(void* dst, 12 | size_t dst_size, 13 | const void* src, 14 | size_t src_size); 15 | 16 | #ifdef __cplusplus 17 | } /* extern "C" */ 18 | #endif 19 | 20 | #endif /* LZVN_H */ 21 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/hashdb/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nut 2 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/hashdb/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CPPFLAGS = -I../.. -I$(srcdir)/../.. -Wall 2 | EXTRA_DIST = .indent.pro 3 | 4 | noinst_LTLIBRARIES = libtskhashdb.la 5 | libtskhashdb_la_SOURCES = \ 6 | encase.c hashkeeper.c idxonly.c md5sum.c nsrl.c \ 7 | sqlite_hdb.cpp binsrch_index.cpp tsk_hashdb.c hdb_base.c \ 8 | tsk_hash_info.h tsk_hashdb.h tsk_hashdb_i.h 9 | 10 | indent: 11 | indent *.cpp *.c *.h 12 | 13 | clean-local: 14 | -rm -f *.c~ *.h~ 15 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/hashdb/tsk_hash_info.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2003-2013 Brian Carrier. All rights reserved 6 | */ 7 | 8 | /** 9 | * \file tsk_hash_info.h 10 | */ 11 | 12 | /** 13 | * \defgroup hashdblib C Hash Database Functions 14 | * \defgroup hashdblib_cpp C++ Hash Database Classes 15 | */ 16 | 17 | 18 | #ifndef _TSK_SQLITE_INDEX_H 19 | #define _TSK_SQLITE_INDEX_H 20 | 21 | #include 22 | #include 23 | 24 | struct TskHashInfo 25 | { 26 | int64_t id; 27 | std::string hashMd5; 28 | std::string hashSha1; 29 | std::string hashSha2_256; 30 | std::vector fileNames; 31 | std::vector comments; 32 | }; 33 | 34 | #endif 35 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/img/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nlp -nut 2 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/img/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CPPFLAGS = -I../.. -I$(srcdir)/../.. -Wall 2 | EXTRA_DIST = .indent.pro 3 | 4 | noinst_LTLIBRARIES = libtskimg.la 5 | libtskimg_la_SOURCES = img_open.c img_types.c raw.c raw.h \ 6 | aff.c aff.h ewf.c ewf.h tsk_img_i.h img_io.c mult_files.c \ 7 | vhd.c vhd.h vmdk.c vmdk.h img_writer.cpp img_writer.h 8 | 9 | indent: 10 | indent *.c *.h 11 | 12 | clean-local: 13 | -rm -f *.c~ *.h~ 14 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/img/aff.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2005-2011 Brian Carrier. All rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | */ 9 | 10 | /* 11 | * Header files for AFF-specific data structures and functions. 12 | */ 13 | 14 | #ifndef _AFF_H 15 | #define _AFF_H 16 | 17 | #if HAVE_LIBAFFLIB 18 | 19 | #include 20 | // mingw's pthread.h will try to read a config.h if HAVE_CONFIG_H 21 | #if HAVE_CONFIG_H 22 | #undef HAVE_CONFIG_H 23 | #include 24 | #define HAVE_CONFIG_H 1 25 | #else 26 | #include 27 | #endif 28 | 29 | extern TSK_IMG_INFO *aff_open(const TSK_TCHAR * const images[], 30 | unsigned int a_ssize); 31 | 32 | /** \internal 33 | * Stores AFF-specific data 34 | */ 35 | typedef struct { 36 | TSK_IMG_INFO img_info; 37 | AFFILE *af_file; 38 | TSK_OFF_T seek_pos; // shared and protected by cache_lock in IMG_INFO 39 | uint16_t type; /* TYPE - uses AF_IDENTIFY_x values */ 40 | } IMG_AFF_INFO; 41 | 42 | #endif 43 | #endif 44 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/img/ewf.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit - Add on for Expert Witness Compression Format (EWF) image support 3 | * 4 | * Copyright (c) 2006, 2011 Joachim Metz 5 | * 6 | * This software is distributed under the Common Public License 1.0 7 | * 8 | * Based on raw image support of the Sleuth Kit from 9 | * Brian Carrier. 10 | */ 11 | 12 | /* 13 | * Header files for EWF-specific data structures and functions. 14 | */ 15 | 16 | #ifndef _TSK_IMG_EWF_H 17 | #define _TSK_IMG_EWF_H 18 | 19 | #if HAVE_LIBEWF 20 | 21 | #include 22 | 23 | // libewf version 2 no longer defines LIBEWF_HANDLE 24 | #undef HAVE_LIBEWF_V2_API 25 | #if !defined( LIBEWF_HANDLE ) 26 | #define HAVE_LIBEWF_V2_API 27 | #endif 28 | 29 | #ifdef __cplusplus 30 | extern "C" { 31 | #endif 32 | 33 | extern TSK_IMG_INFO *ewf_open(int, const TSK_TCHAR * const images[], 34 | unsigned int a_ssize); 35 | 36 | typedef struct { 37 | TSK_IMG_INFO img_info; 38 | libewf_handle_t *handle; 39 | char md5hash[33]; 40 | int md5hash_isset; 41 | uint8_t used_ewf_glob; // 1 if libewf_glob was used during open 42 | tsk_lock_t read_lock; ///< Lock for reads since libewf is not thread safe -- only works if you have a single instance of EWF_INFO for all threads. 43 | } IMG_EWF_INFO; 44 | 45 | #ifdef __cplusplus 46 | } 47 | #endif 48 | #endif 49 | #endif 50 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/img/img_writer.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2005-2011 Brian Carrier. All rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | */ 9 | 10 | /* 11 | * Contains the single raw data file-specific functions and structures. 12 | */ 13 | 14 | #ifndef _IMG_WRITER_H 15 | #define _IMG_WRITER_H 16 | 17 | #include "tsk/base/tsk_base.h" 18 | 19 | #ifdef __cplusplus 20 | extern "C" { 21 | #endif 22 | TSK_RETVAL_ENUM tsk_img_writer_create(TSK_IMG_INFO* img_info, const TSK_TCHAR * outputFileName); 23 | 24 | enum IMG_WRITER_BLOCK_STATUS_ENUM { 25 | IMG_WRITER_BLOCK_STATUS_UNALLOC = 0, 26 | IMG_WRITER_BLOCK_STATUS_ALLOC = 1, 27 | IMG_WRITER_BLOCK_STATUS_FINISHED = 2 28 | }; 29 | typedef enum IMG_WRITER_BLOCK_STATUS_ENUM IMG_WRITER_BLOCK_STATUS_ENUM; 30 | 31 | typedef struct TSK_IMG_WRITER TSK_IMG_WRITER; 32 | struct TSK_IMG_WRITER { 33 | TSK_IMG_INFO * img_info; 34 | int is_finished; 35 | int finishProgress; 36 | int cancelFinish; 37 | 38 | TSK_TCHAR* fileName; 39 | #ifdef TSK_WIN32 40 | HANDLE outputFileHandle; 41 | #else 42 | int outputFileHandle; 43 | #endif 44 | 45 | unsigned char* footer; 46 | 47 | uint32_t blockSize; 48 | TSK_OFF_T imageSize; 49 | uint32_t totalBlocks; 50 | uint32_t sectorBitmapLength; 51 | uint32_t sectorBitmapArrayLength; 52 | uint32_t sectorsPerBlock; 53 | TSK_OFF_T batOffset; 54 | TSK_OFF_T nextDataOffset; 55 | 56 | IMG_WRITER_BLOCK_STATUS_ENUM* blockStatus; 57 | uint32_t* blockToSectorNumber; 58 | unsigned char ** blockToSectorBitmap; 59 | 60 | TSK_RETVAL_ENUM(*add)(TSK_IMG_WRITER* img_writer, TSK_OFF_T addr, char *buffer, size_t len); 61 | TSK_RETVAL_ENUM(*close)(TSK_IMG_WRITER* img_writer); 62 | TSK_RETVAL_ENUM(*finish_image)(TSK_IMG_WRITER* img_writer); 63 | }; 64 | 65 | #ifdef __cplusplus 66 | } 67 | #endif 68 | #endif 69 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/img/raw.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2005-2011 Brian Carrier. All rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | */ 9 | 10 | /* 11 | * Contains the single raw data file-specific functions and structures. 12 | */ 13 | 14 | #ifndef _RAW_H 15 | #define _RAW_H 16 | 17 | #include "img_writer.h" 18 | 19 | #ifdef __cplusplus 20 | extern "C" { 21 | #endif 22 | 23 | extern TSK_IMG_INFO *raw_open(int a_num_img, 24 | const TSK_TCHAR * const a_images[], unsigned int a_ssize); 25 | 26 | #define SPLIT_CACHE 15 27 | 28 | typedef struct { 29 | #ifdef TSK_WIN32 30 | HANDLE fd; 31 | #else 32 | int fd; 33 | #endif 34 | int image; 35 | TSK_OFF_T seek_pos; 36 | } IMG_SPLIT_CACHE; 37 | 38 | typedef struct { 39 | TSK_IMG_INFO img_info; 40 | uint8_t is_winobj; 41 | TSK_IMG_WRITER *img_writer; 42 | 43 | // the following are protected by cache_lock in IMG_INFO 44 | TSK_OFF_T *max_off; 45 | int *cptr; /* exists for each image - points to entry in cache */ 46 | IMG_SPLIT_CACHE cache[SPLIT_CACHE]; /* small number of fds for open images */ 47 | int next_slot; 48 | } IMG_RAW_INFO; 49 | 50 | #ifdef __cplusplus 51 | } 52 | #endif 53 | #endif 54 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/img/tsk_img_i.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2005-2011 Brian Carrier. All rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | */ 9 | #ifndef _TSK_IMG_I_H 10 | #define _TSK_IMG_I_H 11 | 12 | /* 13 | * Contains the internal library definitions for the disk image functions. This should 14 | * be included by the code in the img library. 15 | */ 16 | 17 | // include the base internal header file 18 | #include "tsk/base/tsk_base_i.h" 19 | 20 | // include the external disk image header file 21 | #include "tsk_img.h" 22 | 23 | // other standard includes 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | 30 | #ifdef __cplusplus 31 | extern "C" { 32 | #endif 33 | 34 | // Cygwin needs this, but not everyone defines it 35 | #ifndef O_BINARY 36 | #define O_BINARY 0 37 | #endif 38 | extern void *tsk_img_malloc(size_t); 39 | extern void tsk_img_free(void *); 40 | extern TSK_TCHAR **tsk_img_findFiles(const TSK_TCHAR * a_startingName, 41 | int *a_numFound); 42 | 43 | #ifdef __cplusplus 44 | } 45 | #endif 46 | 47 | #endif 48 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/img/vhd.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Brian Carrier [carrier sleuthkit [dot] org] 3 | * Copyright (c) 2006-2016 Brian Carrier, Basis Technology. All rights reserved 4 | * Copyright (c) 2005 Brian Carrier. All rights reserved 5 | * 6 | * This software is distributed under the Common Public License 1.0 7 | * 8 | */ 9 | 10 | /* 11 | * Header files for VHD-specific data structures and functions. 12 | */ 13 | 14 | #ifndef _TSK_IMG_VHDI_H 15 | #define _TSK_IMG_VHDI_H 16 | 17 | #if HAVE_LIBVHDI 18 | 19 | #if defined( TSK_WIN32 ) 20 | #define LIBVHDI_HAVE_WIDE_CHARACTER_TYPE 1 21 | #endif 22 | 23 | #include 24 | 25 | #ifdef __cplusplus 26 | extern "C" { 27 | #endif 28 | 29 | extern TSK_IMG_INFO *vhdi_open(int, const TSK_TCHAR * const images[], 30 | unsigned int a_ssize); 31 | 32 | typedef struct { 33 | TSK_IMG_INFO img_info; 34 | libvhdi_file_t *handle; 35 | tsk_lock_t read_lock; // Lock for reads since according to documentation libvhdi is not fully thread safe yet 36 | } IMG_VHDI_INFO; 37 | 38 | #ifdef __cplusplus 39 | } 40 | #endif 41 | #endif 42 | #endif // _TSK_IMG_VHDI_H 43 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/img/vmdk.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Brian Carrier [carrier sleuthkit [dot] org] 3 | * Copyright (c) 2006-2016 Brian Carrier, Basis Technology. All rights reserved 4 | * Copyright (c) 2005 Brian Carrier. All rights reserved 5 | * 6 | * This software is distributed under the Common Public License 1.0 7 | * 8 | */ 9 | 10 | /* 11 | * Header files for VMDK-specific data structures and functions. 12 | */ 13 | 14 | #ifndef _TSK_IMG_VMDK_H 15 | #define _TSK_IMG_VMDK_H 16 | 17 | #if HAVE_LIBVMDK 18 | 19 | #if defined( TSK_WIN32 ) 20 | #define LIBVMDK_HAVE_WIDE_CHARACTER_TYPE 1 21 | #endif 22 | 23 | #include 24 | 25 | #ifdef __cplusplus 26 | extern "C" { 27 | #endif 28 | 29 | extern TSK_IMG_INFO *vmdk_open(int, const TSK_TCHAR * const images[], 30 | unsigned int a_ssize); 31 | 32 | typedef struct { 33 | TSK_IMG_INFO img_info; 34 | libvmdk_handle_t *handle; 35 | tsk_lock_t read_lock; // Lock for reads since according to documentation libvmdk is not fully thread safe yet 36 | } IMG_VMDK_INFO; 37 | 38 | #ifdef __cplusplus 39 | } 40 | #endif 41 | #endif 42 | #endif 43 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/libtsk.h: -------------------------------------------------------------------------------- 1 | #ifndef _TSK_LIBTSK_H 2 | #define _TSK_LIBTSK_H 3 | 4 | #include "tsk/base/tsk_base.h" 5 | #include "tsk/img/tsk_img.h" 6 | #include "tsk/vs/tsk_vs.h" 7 | #include "tsk/fs/tsk_fs.h" 8 | #include "tsk/hashdb/tsk_hashdb.h" 9 | #include "tsk/auto/tsk_auto.h" 10 | 11 | #endif 12 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/sorter/freebsd.sort: -------------------------------------------------------------------------------- 1 | # 2 | # config file for Sleuth Kit sorter 3 | # 4 | # FreeBSD Platform 5 | # 6 | # To make custom modifications, you can also use a file named 7 | # freebsd.lcl.sort 8 | 9 | ########################################################################## 10 | # Multimedia 11 | ########################################################################## 12 | # Images 13 | 14 | # Audio 15 | 16 | # video 17 | 18 | 19 | ########################################################################## 20 | # archive & compression 21 | ########################################################################## 22 | 23 | 24 | 25 | ########################################################################## 26 | # Executables & Source Code 27 | ########################################################################## 28 | 29 | # object & relocatable are already a category in default 30 | ext so,0,1,2,3,4,5,6,7,8,9 shared object 31 | #ext o relocatable 32 | 33 | #category exec library 34 | #ext so library 35 | 36 | #category exec ar archive 37 | #ext a ar archive 38 | 39 | 40 | ########################################################################## 41 | # Documents, text, and internet (web) 42 | ########################################################################## 43 | # Text 44 | #ext afm ASCII font metrics 45 | 46 | ext conf ASCII(.*?)text 47 | 48 | ########################################################################## 49 | # Other 50 | ########################################################################## 51 | 52 | category system pixmap image text 53 | ext xpm pixmap image text 54 | 55 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/sorter/images.sort: -------------------------------------------------------------------------------- 1 | # 2 | # images.sort 3 | # Save Images only 4 | # config file for Sleuth Kit sorter 5 | # 6 | # Category 7 | # If the keyword is found in the 'file' output, then the data is saved 8 | # to either the summary file or even copied if the appropriate flags are 9 | # given 10 | # 11 | # category cat_name keywords 12 | # 13 | # 14 | # Extension 15 | # If the keywords are found in the 'file' output, and the file extension 16 | # is different than then the one on the file, an alert is generated 17 | # 'somewhere' 18 | # ext ext1,ext2,ext3 keywords 19 | 20 | # Images 21 | category images image data 22 | ext jpg,jpeg,jpe JPEG image data 23 | ext gif GIF image data 24 | ext tif TIFF image data 25 | ext png PNG image data 26 | 27 | category images bitmap data 28 | ext bmp PC bitmap data 29 | 30 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/sorter/linux.sort: -------------------------------------------------------------------------------- 1 | # 2 | # config file for Sleuth Kit sorter 3 | # 4 | # Linux Platform 5 | # 6 | # To make custom modifications, you can also use a file named 7 | # linux.lcl.sort 8 | 9 | ########################################################################## 10 | # Multimedia 11 | ########################################################################## 12 | # Images 13 | 14 | # Audio 15 | 16 | # video 17 | 18 | ########################################################################## 19 | # archive & compression 20 | ########################################################################## 21 | 22 | 23 | 24 | ########################################################################## 25 | # Executables & Source Code 26 | ########################################################################## 27 | # object and relocatable are already a category in default 28 | ext so,0,1,2,3,4,5,6,7,8,9 shared object 29 | ext o relocatable 30 | 31 | #category exec library 32 | #ext so library 33 | 34 | #category exec ar archive 35 | #ext a ar archive 36 | 37 | 38 | ########################################################################## 39 | # Documents, text, and internet (web) 40 | ########################################################################## 41 | # Text 42 | #ext afm ASCII font metrics 43 | category text input text 44 | category text TeX DVI 45 | 46 | 47 | 48 | ########################################################################## 49 | # Other 50 | ########################################################################## 51 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/sorter/openbsd.sort: -------------------------------------------------------------------------------- 1 | # 2 | # config file for Sleuth Kit sorter 3 | # 4 | # OpenBSD Platform 5 | # 6 | # To make custom modifications, you can also use a file named 7 | # openbsd.lcl.sort 8 | 9 | ########################################################################## 10 | # Multimedia 11 | ########################################################################## 12 | # Images 13 | 14 | # Audio 15 | 16 | # video 17 | 18 | 19 | ########################################################################## 20 | # archive & compression 21 | ########################################################################## 22 | 23 | 24 | 25 | ########################################################################## 26 | # Executables & Source Code 27 | ########################################################################## 28 | 29 | # object & relocatable are already a category in default 30 | ext so,0,1,2,3,4,5,6,7,8,9 shared object 31 | #ext o relocatable 32 | 33 | #category exec library 34 | #ext so library 35 | 36 | #category exec ar archive 37 | #ext a ar archive 38 | 39 | 40 | ########################################################################## 41 | # Documents, text, and internet (web) 42 | ########################################################################## 43 | # Text 44 | #ext afm ASCII font metrics 45 | 46 | ext conf ASCII(.*?)text 47 | 48 | ########################################################################## 49 | # Other 50 | ########################################################################## 51 | 52 | category system pixmap image text 53 | ext xpm pixmap image text 54 | 55 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/sorter/solaris.sort: -------------------------------------------------------------------------------- 1 | # 2 | # config file for Sleuth Kit sorter 3 | # 4 | # Solaris Platform 5 | # 6 | # To make custom modifications, you can also use a file named 7 | # solaris.lcl.sort 8 | 9 | ########################################################################## 10 | # Multimedia 11 | ########################################################################## 12 | # Images 13 | 14 | # Audio 15 | 16 | # video 17 | 18 | 19 | ########################################################################## 20 | # archive & compression 21 | ########################################################################## 22 | 23 | 24 | 25 | ########################################################################## 26 | # Executables & Source Code 27 | ########################################################################## 28 | 29 | # object & relocatable are already a category in default 30 | ext so,0,1,2,3,4,5,6,7,8,9 shared object 31 | ext o relocatable 32 | 33 | category exec library 34 | ext so library 35 | 36 | category exec ar archive 37 | ext a ar archive 38 | 39 | 40 | ########################################################################## 41 | # Documents, text, and internet (web) 42 | ########################################################################## 43 | # Text 44 | ext afm ASCII font metrics 45 | 46 | 47 | ########################################################################## 48 | # Other 49 | ########################################################################## 50 | 51 | 52 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/tsk_incs.h: -------------------------------------------------------------------------------- 1 | #ifndef _TSK_INCS_H 2 | #define _TSK_INCS_H 3 | // automatically by ./configure 4 | // Contains the config.h data needed by programs that use libtsk 5 | 6 | #include 7 | #ifndef __STDC_FORMAT_MACROS 8 | #define __STDC_FORMAT_MACROS 9 | #endif 10 | #include 11 | #include 12 | #define TSK_MULTITHREAD_LIB // enable multithreading 13 | 14 | #endif 15 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/tsk_tools_i.h: -------------------------------------------------------------------------------- 1 | #ifndef _TSK_TOOLS_I_H 2 | #define _TSK_TOOLS_I_H 3 | 4 | /* same as tsklib.h except that it includes the base_i.h file 5 | * instead of base.h so that we can get the _config defines. 6 | * This is to be used by the tools included with TSK (such as fls). 7 | */ 8 | #include "tsk/base/tsk_base_i.h" 9 | #include "tsk/img/tsk_img.h" 10 | #include "tsk/vs/tsk_vs.h" 11 | #include "tsk/fs/tsk_fs.h" 12 | #include "tsk/hashdb/tsk_hashdb.h" 13 | #include "tsk/auto/tsk_auto.h" 14 | 15 | #endif 16 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/vs/.indent.pro: -------------------------------------------------------------------------------- 1 | -kr -psl -nce -ip2 -nlp -nut 2 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/vs/Makefile.am: -------------------------------------------------------------------------------- 1 | AM_CPPFLAGS = -I../.. -I$(srcdir)/../.. -Wall 2 | EXTRA_DIST = .indent.pro 3 | 4 | noinst_LTLIBRARIES = libtskvs.la 5 | # Note that the .h files are in the top-level Makefile 6 | libtskvs_la_SOURCES = mm_open.c mm_part.c mm_types.c mm_io.c \ 7 | bsd.c dos.c gpt.c mac.c sun.c tsk_vs_i.h 8 | 9 | indent: 10 | indent *.c *.h 11 | 12 | clean-local: 13 | -rm -f *.c~ *.h~ 14 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/vs/tsk_bsd.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2003-2011 Brian Carrier. All rights reserved 6 | * 7 | * ** This software is distributed under the Common Public License 1.0 8 | */ 9 | 10 | /* 11 | * C header file with BSD and internal data structures. 12 | */ 13 | 14 | #ifndef _TSK_BSD_H 15 | #define _TSK_BSD_H 16 | 17 | #ifdef __cplusplus 18 | extern "C" { 19 | #endif 20 | 21 | typedef struct { 22 | uint8_t magic[4]; 23 | uint8_t type[2]; 24 | uint8_t sub_type[2]; 25 | uint8_t type_name[16]; 26 | 27 | uint8_t packname[16]; 28 | 29 | uint8_t sec_size[4]; 30 | uint8_t sec_per_tr[4]; 31 | uint8_t tr_per_cyl[4]; 32 | uint8_t cyl_per_unit[4]; 33 | uint8_t sec_per_cyl[4]; 34 | uint8_t sec_per_unit[4]; 35 | 36 | uint8_t spare_per_tr[2]; 37 | uint8_t spare_per_cyl[2]; 38 | 39 | uint8_t alt_per_unit[4]; 40 | 41 | uint8_t rpm[2]; 42 | uint8_t interleave[2]; 43 | uint8_t trackskew[2]; 44 | uint8_t cylskew[2]; 45 | uint8_t headswitch[4]; 46 | uint8_t track_seek[4]; 47 | uint8_t flags[4]; 48 | 49 | uint8_t drivedata[20]; 50 | 51 | uint8_t reserved1[20]; 52 | 53 | uint8_t magic2[4]; 54 | uint8_t checksum[2]; 55 | 56 | uint8_t num_parts[2]; 57 | uint8_t bootarea_size[4]; 58 | uint8_t sb_size[4]; 59 | 60 | struct { 61 | uint8_t size_sec[4]; 62 | uint8_t start_sec[4]; 63 | uint8_t frag_size[4]; 64 | uint8_t fstype; 65 | uint8_t frag_per_block; 66 | uint8_t cyl_per_grp[2]; 67 | } part[16]; 68 | 69 | /* padding to make it a full 512 bytes */ 70 | uint8_t reserved2[108]; 71 | 72 | } bsd_disklabel; 73 | 74 | #define BSD_MAGIC 0x82564557 75 | #define BSD_PART_SOFFSET 1 76 | 77 | #ifdef __cplusplus 78 | } 79 | #endif 80 | #endif 81 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/vs/tsk_dos.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2003-2011 Brian Carrier. All rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | */ 9 | 10 | /* 11 | * C header file with DOS and internal data structures. 12 | */ 13 | #ifndef _TSK_DOS_H 14 | #define _TSK_DOS_H 15 | 16 | #ifdef __cplusplus 17 | extern "C" { 18 | #endif 19 | 20 | typedef struct { 21 | uint8_t boot; 22 | uint8_t start_chs[3]; 23 | uint8_t ptype; 24 | uint8_t end_chs[3]; 25 | uint8_t start_sec[4]; 26 | uint8_t size_sec[4]; 27 | } dos_part; 28 | 29 | /* Boot Sector w/partition table */ 30 | typedef struct { 31 | uint8_t f1[3]; 32 | /* the next three are actually part of NTFS and FAT, but 33 | * we use them for sanity checks in the detect code */ 34 | char oemname[8]; 35 | uint8_t ssize[2]; /* sector size in bytes */ 36 | uint8_t csize; /* cluster size in sectors */ 37 | uint8_t filler[432]; 38 | dos_part ptable[4]; 39 | uint8_t magic[2]; 40 | } dos_sect; 41 | 42 | #define DOS_MAGIC 0xaa55 43 | #define DOS_PART_SOFFSET 0 44 | 45 | #ifdef __cplusplus 46 | } 47 | #endif 48 | #endif 49 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/vs/tsk_gpt.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2004-2011 Brian Carrier. All rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | */ 9 | 10 | /* 11 | * C header file with GPT and internal data structures. 12 | */ 13 | 14 | #ifndef _TSK_GPT_H 15 | #define _TSK_GPT_H 16 | 17 | #ifdef __cplusplus 18 | extern "C" { 19 | #endif 20 | 21 | /* Partition type in the safety DOS partition table */ 22 | #define GPT_PART_SOFFSET 0 23 | #define GPT_DOS_TYPE 0xEE 24 | 25 | 26 | 27 | /* This is located in sector 1 of the disk */ 28 | #define GPT_HEAD_OFFSET 1 29 | #define GPT_HEAD_SIG 0x5452415020494645ULL 30 | 31 | typedef struct { 32 | uint8_t signature[8]; /* EFI PART */ 33 | uint8_t version[4]; 34 | uint8_t head_size_b[4]; /* size of partition header */ 35 | uint8_t head_crc[4]; /* crc of header */ 36 | uint8_t f1[4]; 37 | uint8_t head_lba[8]; /* lba of this header */ 38 | uint8_t head2_lba[8]; /* lba of second header */ 39 | uint8_t partarea_start[8]; /* lba of partition area start */ 40 | uint8_t partarea_end[8]; /* lba of partition area end */ 41 | uint8_t guid[16]; /* disk GUID */ 42 | uint8_t tab_start_lba[8]; /* lba of table start */ 43 | uint8_t tab_num_ent[4]; /* num of table entries */ 44 | uint8_t tab_size_b[4]; /* size of each table entry */ 45 | uint8_t tab_crc[4]; /* crc of table */ 46 | uint8_t f2[420]; 47 | } gpt_head; 48 | 49 | 50 | /* The location of this is specified in the header - tab_start */ 51 | typedef struct { 52 | uint8_t type_guid[16]; /* partition type guid */ 53 | uint8_t id_guid[16]; /* unique partition GUID */ 54 | uint8_t start_lba[8]; /* Starting lba of part */ 55 | uint8_t end_lba[8]; /* end lba of part */ 56 | uint8_t flags[8]; /* flags */ 57 | uint8_t name[72]; /* name in unicode */ 58 | } gpt_entry; 59 | 60 | typedef enum { 61 | PRIMARY_TABLE, 62 | SECONDARY_TABLE, 63 | } GPT_LOCATION_ENUM; 64 | 65 | 66 | #ifdef __cplusplus 67 | } 68 | #endif 69 | #endif 70 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/vs/tsk_mac.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2003-2011 Brian Carrier. All rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | */ 9 | 10 | /* 11 | * C header file with Mac and internal data structures. 12 | */ 13 | 14 | #ifndef _TSK_MAC_H 15 | #define _TSK_MAC_H 16 | 17 | #ifdef __cplusplus 18 | extern "C" { 19 | #endif 20 | 21 | typedef struct { 22 | uint8_t magic[2]; 23 | uint8_t reserved[2]; 24 | uint8_t pmap_size[4]; 25 | uint8_t start_sec[4]; 26 | uint8_t size_sec[4]; 27 | uint8_t name[32]; 28 | uint8_t type[32]; 29 | uint8_t data_start_sec[4]; 30 | uint8_t data_size_sec[4]; 31 | uint8_t status[4]; 32 | uint8_t boot_start_sec[4]; 33 | uint8_t boot_size_sec[4]; 34 | uint8_t boot_load_addr[4]; 35 | uint8_t reserved2[4]; 36 | uint8_t boot_entry[4]; 37 | uint8_t reserved3[4]; 38 | uint8_t boot_checksum[4]; 39 | uint8_t proc_type[16]; 40 | uint8_t reserved4[376]; 41 | } mac_part; 42 | 43 | #define MAC_MAGIC 0x504d 44 | #define MAC_PART_SOFFSET 1 45 | 46 | #define MAC_STAT_VALID 0x00 47 | #define MAC_STAT_ALLOC 0x01 48 | #define MAC_STAT_INUSE 0x02 49 | #define MAC_STAT_BOOT 0x04 50 | #define MAC_STAT_READ 0x08 51 | 52 | #ifdef __cplusplus 53 | } 54 | #endif 55 | #endif 56 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/include/tsk/vs/tsk_vs_i.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The Sleuth Kit 3 | * 4 | * Brian Carrier [carrier sleuthkit [dot] org] 5 | * Copyright (c) 2003-2011 Brian Carrier. All rights reserved 6 | * 7 | * This software is distributed under the Common Public License 1.0 8 | */ 9 | 10 | /** 11 | * \file tsk_vs_i.h 12 | * Contains the internal library definitions for the volume system functions. This should 13 | * be included by the code in the volume system library. 14 | */ 15 | #ifndef _TSK_VS_I_H 16 | #define _TSK_VS_I_H 17 | 18 | // Include the other internal TSK header files 19 | #include "tsk/base/tsk_base_i.h" 20 | #include "tsk/img/tsk_img_i.h" 21 | 22 | // include the external vs header file 23 | #include "tsk_vs.h" 24 | 25 | #include 26 | 27 | extern TSK_VS_INFO *tsk_vs_dos_open(TSK_IMG_INFO *, TSK_DADDR_T, uint8_t); 28 | extern TSK_VS_INFO *tsk_vs_mac_open(TSK_IMG_INFO *, TSK_DADDR_T); 29 | extern TSK_VS_INFO *tsk_vs_bsd_open(TSK_IMG_INFO *, TSK_DADDR_T); 30 | extern TSK_VS_INFO *tsk_vs_sun_open(TSK_IMG_INFO *, TSK_DADDR_T); 31 | extern TSK_VS_INFO *tsk_vs_gpt_open(TSK_IMG_INFO *, TSK_DADDR_T); 32 | 33 | extern uint8_t tsk_vs_part_unused(TSK_VS_INFO *); 34 | extern TSK_VS_PART_INFO *tsk_vs_part_add(TSK_VS_INFO *, TSK_DADDR_T, 35 | TSK_DADDR_T, TSK_VS_PART_FLAG_ENUM, char *, int8_t, int8_t); 36 | extern void tsk_vs_part_free(TSK_VS_INFO *); 37 | 38 | // Endian macros - actual functions in misc/ 39 | #define tsk_vs_guessu16(vs, x, mag) \ 40 | tsk_guess_end_u16(&(vs->endian), (x), (mag)) 41 | 42 | #define tsk_vs_guessu32(vs, x, mag) \ 43 | tsk_guess_end_u32(&(vs->endian), (x), (mag)) 44 | 45 | #define tsk_vs_guessu64(vs, x, mag) \ 46 | tsk_guess_end_u64(&(vs->endian), (x), (mag)) 47 | 48 | #endif 49 | -------------------------------------------------------------------------------- /libraries/tsk_builtin/lib/libtsk.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trailofbits/osquery-extensions/3df2b72ad78549e25344c79dbc9bce6808c4d92a/libraries/tsk_builtin/lib/libtsk.lib -------------------------------------------------------------------------------- /mdm_enrollment/.platforms: -------------------------------------------------------------------------------- 1 | APPLE -------------------------------------------------------------------------------- /mdm_enrollment/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.10) 16 | project("mdm_extension") 17 | 18 | function(mdmExtensionMain) 19 | addOsqueryExtensionEx("MDMStatusTablePlugin" "table" "mdm_enrollment_status" 20 | SOURCES mdm_status_extension.cpp 21 | INCLUDEDIRS "${CMAKE_CURRENT_SOURCE_DIR}" 22 | MAININCLUDES mdm_status_extension.h 23 | ) 24 | endfunction() 25 | mdmExtensionMain() 26 | -------------------------------------------------------------------------------- /mdm_enrollment/README.md: -------------------------------------------------------------------------------- 1 | # MDM enrollment status osquery Extension 2 | This plugin provides a simple table that reports MDM enrollment status. It creates a table `mdm_enrollment_status` with the schema below. 3 | 4 | ## Schema 5 | 6 | | Column | Type | Description | 7 | |----------------|---------|---------------------------------------------------------------------| 8 | | server_url | TEXT | URL of the MDM server | 9 | | dep_enrollment | INTEGER | 1 if enrolled via DEP, 0 otherwise | 10 | | user_approved | INTEGER | 1 is user approved, 0 otherwise | 11 | 12 | ## Additional Notes 13 | The value for the `server_url` column is obtained by invoking `/usr/sbin/system_profiler SPConfigurationProfileDataType` and parsing its output. 14 | 15 | The values for `dep_enrollment` and `user_approved` are obtained by invoking `usr/bin/profiles status -type enrollment` and parsing its output. 16 | -------------------------------------------------------------------------------- /mdm_enrollment/mdm_status_extension.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | namespace osquery { 22 | class MDMStatusTablePlugin : public TablePlugin { 23 | private: 24 | TableColumns columns() const; 25 | TableRows generate(QueryContext& request); 26 | }; 27 | 28 | } 29 | -------------------------------------------------------------------------------- /network_monitor/.platforms: -------------------------------------------------------------------------------- 1 | LINUX 2 | -------------------------------------------------------------------------------- /network_monitor/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.12) 16 | project(network_monitor) 17 | 18 | function(networkMonitorMain) 19 | # Source files 20 | set(project_source_files 21 | src/main.cpp 22 | 23 | src/dnseventspublisher.h 24 | src/dnseventspublisher.cpp 25 | 26 | src/dnseventssubscriber.h 27 | src/dnseventssubscriber.cpp 28 | 29 | src/pcap_utils.h 30 | src/pcap_utils.cpp 31 | 32 | src/pcapreaderservice.h 33 | src/pcapreaderservice.cpp 34 | ) 35 | 36 | addOsqueryExtension("${PROJECT_NAME}" ${project_source_files}) 37 | 38 | # Reference our pubsub framework 39 | list(APPEND libraries pubsub) 40 | 41 | # Import Pcap++ 42 | ImportDependency("pcap") 43 | ImportDependency("Pcap++") 44 | 45 | # Reference our pubsub framework and pcap++ libraries 46 | list(APPEND libraries pubsub) 47 | list(APPEND libraries Pcap++) 48 | list(APPEND libraries osquery_extensions_implthrift) 49 | 50 | target_link_libraries("${PROJECT_NAME}" PUBLIC 51 | ${libraries} 52 | ) 53 | endfunction() 54 | 55 | networkMonitorMain() 56 | -------------------------------------------------------------------------------- /network_monitor/README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | This is an experimental extension that provides a `dns_events` table that lists the DNS requests and answers happening on the endpoint. 3 | 4 | # Usage 5 | 6 | Note that the `network_monitor` extension, because it drops its privileges at runtime, is not compatible with being bundled together in the single extension with others. It is built and loaded separately from its own extension file, `network_monitor.ext`. 7 | 8 | ## Configuration options 9 | The configuration file is located at the following path: `/var/osquery/extensions/com/trailofbits/network_monitor.json` 10 | 11 | ``` json 12 | { 13 | "user": "tob_network_monitor_ext", 14 | 15 | "dns_events": { 16 | "interface": "eth0", 17 | "promiscuous": false, 18 | 19 | "max_tcp_conversation_length": 10240, 20 | "max_tcp_conversation_idle_time": 300 21 | } 22 | } 23 | ``` 24 | 25 | **user**: This user will be used to drop privileges. 26 | **interface**: Interface to monitor. Currently, only one is supported. 27 | **promiscuous**: If enabled, the table will also be able to report DNS requests/answers from other machines on the same network. **You should always consult the network administrator when enabling this setting!** 28 | **max_tcp_conversation_length**: TCP conversations that are bigger than this amount of bytes will be ignored. 29 | **max_tcp_conversation_idle_time**: TCP conversations that have been idle for this amount of seconds will be ignored. 30 | 31 | # Dropping privileges 32 | 33 | During startup, the extension will perform the following tasks: 34 | 35 | 1. Read the configuration file 36 | 2. Request to osquery where the extension manager socket is located 37 | 3. Update the extensions socket permissions (root:config.user, 770) 38 | 4. Initialize and activate the Pcap handle 39 | 5. Drop privileges 40 | 6. Start the normal event loop 41 | 7. If the configuration changes, then the extension will print a warning message and quit. The osquery watchdog is expected to be turned on in order to have the extension go through these steps from the start. 42 | -------------------------------------------------------------------------------- /network_monitor/src/dnseventssubscriber.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include "dnseventspublisher.h" 20 | 21 | #include 22 | #include 23 | 24 | namespace trailofbits { 25 | class DNSEventsSubscriber final 26 | : public BaseEventSubscriber { 27 | public: 28 | /// Returns the friendly publisher name 29 | static const char* name() { 30 | return "dns_events"; 31 | } 32 | 33 | /// Factory function 34 | static osquery::Status create(IEventSubscriberRef& subscriber); 35 | 36 | /// One-time initialization 37 | virtual osquery::Status initialize() noexcept override; 38 | 39 | /// One-time deinitialization 40 | virtual void release() noexcept override; 41 | 42 | /// Called each time the configuration changes 43 | virtual osquery::Status configure( 44 | DNSEventsPublisher::SubscriptionContextRef subscription_context, 45 | const json11::Json& configuration) noexcept override; 46 | 47 | virtual osquery::Status callback( 48 | osquery::TableRows& new_events, 49 | DNSEventsPublisher::SubscriptionContextRef subscription_context, 50 | DNSEventsPublisher::EventContextRef event_context) override; 51 | }; 52 | 53 | DECLARE_SUBSCRIBER(DNSEventsPublisher, DNSEventsSubscriber); 54 | } // namespace trailofbits 55 | -------------------------------------------------------------------------------- /network_monitor/src/pcap_utils.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #include 22 | #include 23 | 24 | #include 25 | 26 | namespace trailofbits { 27 | /// This is the std::unique_ptr deleter used when wrapping pcap handles 28 | void pcapRefDeleter(pcap_t* handle); 29 | 30 | /// A pcap handle reference 31 | using PcapRef = std::unique_ptr; 32 | 33 | /// Helper macro used to declare an empty ref for pcap handles 34 | #define DeclarePcapRef(x) \ 35 | PcapRef x { \ 36 | nullptr, pcapRefDeleter \ 37 | } 38 | 39 | /// A network address with the associated netmask (either IPV4 or IPV6) 40 | struct NetworkAddress final { 41 | std::string address; 42 | std::string netmask; 43 | }; 44 | 45 | /// Describes the properties for a network interface 46 | struct NetworkDeviceInformation final { 47 | std::string name; 48 | std::string description; 49 | 50 | std::vector ipv4_address_list; 51 | std::vector ipv6_address_list; 52 | 53 | bpf_u_int32 flags; 54 | }; 55 | 56 | /// Creates a new pcap handle 57 | osquery::Status createPcap(PcapRef& ref, 58 | const std::string& device_name, 59 | int capture_buffer_size, 60 | int packet_capture_timeout, 61 | bool promiscuous_mode); 62 | 63 | /// Returns the device information for the specified network interface 64 | osquery::Status getNetworkDeviceInformation(NetworkDeviceInformation& dev_info, 65 | const std::string& device_name); 66 | 67 | /// Performs a poll() on the given pcap handle, waiting for new packets 68 | osquery::Status waitForNewPackets(bool& timed_out, 69 | PcapRef& ref, 70 | std::size_t msecs); 71 | } // namespace trailofbits 72 | -------------------------------------------------------------------------------- /ntfs_forensics/.platforms: -------------------------------------------------------------------------------- 1 | WINDOWS -------------------------------------------------------------------------------- /ntfs_forensics/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.10) 16 | project(ntfs_forensics) 17 | 18 | function(ntfs_forensics_main) 19 | set(project_common_source_files 20 | src/ntfs_types.h 21 | 22 | src/diskdevice.h 23 | src/diskdevice.cpp 24 | 25 | src/ntfsfileinformation.h 26 | src/ntfsfileinformation.cpp 27 | 28 | src/ntfsdirectoryindexentry.h 29 | src/ntfsdirectoryindexentry.cpp 30 | 31 | src/ntfsfilenameattributecontents.h 32 | src/ntfsfilenameattributecontents.cpp 33 | 34 | src/diskpartition.h 35 | src/diskpartition.cpp 36 | 37 | src/constraints.h 38 | src/constraints.cpp 39 | ) 40 | 41 | set(project_include_dirs 42 | "${CMAKE_CURRENT_SOURCE_DIR}/src" 43 | ) 44 | 45 | addOsqueryExtensionEx("NTFSFileInfoTablePlugin" "table" "ntfs_file_data" 46 | SOURCES ${project_common_source_files} src/ntfsfileinfotable.h src/ntfsfileinfotable.cpp 47 | INCLUDEDIRS ${project_include_dirs} 48 | MAININCLUDES ntfsfileinfotable.h 49 | LIBRARIES tsk_builtin 50 | ) 51 | 52 | addOsqueryExtensionEx("NTFSPartInfoTablePlugin" "table" "ntfs_part_data" 53 | SOURCES ${project_common_source_files} src/ntfspartinfotable.h src/ntfspartinfotable.cpp 54 | INCLUDEDIRS ${project_include_dirs} 55 | MAININCLUDES ntfspartinfotable.h 56 | LIBRARIES tsk_builtin 57 | ) 58 | 59 | addOsqueryExtensionEx("NTFSINDXTablePugin" "table" "ntfs_indx_data" 60 | SOURCES ${project_common_source_files} src/ntfsindxtable.h src/ntfsindxtable.cpp 61 | INCLUDEDIRS ${project_include_dirs} 62 | MAININCLUDES ntfsindxtable.h 63 | LIBRARIES tsk_builtin 64 | ) 65 | endfunction() 66 | 67 | ntfs_forensics_main() 68 | -------------------------------------------------------------------------------- /ntfs_forensics/README.md: -------------------------------------------------------------------------------- 1 | # NTFS forensic data osquery Extension 2 | 3 | This extension uses the [Sleuthkit](http://www.sleuthkit.org/) library to print forensic information about an NTFS filesystem. The library and headers are bundled with this repository, so there is no additional step to build or install Sleuthkit. 4 | 5 | ## Usage 6 | 7 | To quickly test an extension, you can either start it from the osqueryi shell, or launch it manually and wait for it 8 | to connect to the running osquery instance. 9 | 10 | `osqueryi --extension /path/to/trailofbits_osquery_extensions.ext.exe` 11 | 12 | The extension must be run as an Administrator account to have the proper privileges to interact with the system's physical devices. 13 | 14 | Example: 15 | 16 | ``` 17 | $ .\osquery\Release\osqueryi.exe --allow_unsafe --disable_extensions=false --extension .\external\extension_ntfs\Release\ntfs_fo 18 | rensics.ext.exe --interval 19 | Using a virtual database. Need help, type '.help' 20 | CREATE TABLE ntfs_part_data(`device` TEXT, `address` INTEGER, `description` TEXT); 21 | osquery> .schema ntfs_file_data 22 | CREATE TABLE ntfs_file_data(`device` TEXT, `partition` INTEGER, `filename` TEXT, `path` TEXT, `directory` TEXT, `btime` TEXT, `mtime` TEXT, `ctime` TEXT, `atime` TEXT, `fn_btime` TEXT, `fn_mtime` TEXT, `fn_ctime` TEXT, `fn_atime` TEXT, `type` TEXT, `active` TEXT, `flags` TEXT, `ADS` TEXT, `allocated` TEXT, `size` TEXT, `inode` TEXT, `object_id` TEXT, `uid` TEXT, `gid` TEXT, `sid` TEXT, `from_cache` TEXT HIDDEN); 23 | osquery> .schema ntfs_indx_data 24 | CREATE TABLE ntfs_indx_data(`device` TEXT, `partition` TEXT, `parent_inode` TEXT, `parent_path` TEXT, `filename` TEXT, `inode` TEXT, `allocated_size` TEXT, `real_size` TEXT, `btime` TEXT, `mtime` TEXT, `ctime` TEXT, `atime` TEXT, `flags` TEXT, `slack` TEXT); 25 | ``` 26 | 27 | ## Additional Resources 28 | 29 | - The [Collect NTFS forensic information with osquery](https://blog.trailofbits.com/2018/05/28/collect-ntfs-forensic-information-with-osquery/) blog post for information and examples. 30 | - The [example.txt](example.txt) file showing how to use the extension. 31 | - The [osquery documentation on extensions](https://osquery.readthedocs.io/en/stable/deployment/extensions) for further 32 | information on extensions. 33 | 34 | ## License 35 | 36 | The SleuthKit code in this library is covered under the licenses described on [the SleuthKit License page](https://sleuthkit.org/sleuthkit/licenses.php). 37 | 38 | All other code in this repository is licensed under the [Apache 2.0 license](../LICENSE). 39 | -------------------------------------------------------------------------------- /ntfs_forensics/src/constraints.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | namespace trailofbits { 22 | /// A disk map, also containing the available partitions for each device 23 | using DiskDeviceMap = 24 | std::unordered_map>; 25 | 26 | /// Returns the inode constraints reading the specified key from the SQL 27 | /// request 28 | osquery::Status getParentInodeConstraints( 29 | std::unordered_set& inode_constraints, 30 | const osquery::QueryContext& request, 31 | const std::string& key_name); 32 | 33 | /// Returns a disk device map (device -> partitions) that has been filtered 34 | /// according to the given constraints 35 | osquery::Status getDeviceAndPartitionConstraints( 36 | DiskDeviceMap& device_map, const osquery::QueryContext& request); 37 | } // namespace trailofbits 38 | -------------------------------------------------------------------------------- /ntfs_forensics/src/diskdevice.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include "diskdevice.h" 20 | 21 | namespace trailofbits { 22 | DiskDevice::DiskDevice(const std::string& device_name) { 23 | if (device_name.empty()) { 24 | throw osquery::Status(1, "Invalid device specified"); 25 | } 26 | 27 | const char* paths[1] = {device_name.c_str()}; 28 | img_info = tsk_img_open_utf8(1, paths, TSK_IMG_TYPE_DETECT, 0); 29 | if (img_info == nullptr) { 30 | throw osquery::Status(1, "Unable to open the device"); 31 | } 32 | } 33 | 34 | osquery::Status DiskDevice::create(DiskDeviceRef& disk_device, 35 | const std::string& device_name) noexcept { 36 | try { 37 | auto ptr = new DiskDevice(device_name); 38 | disk_device.reset(ptr); 39 | 40 | return osquery::Status(0); 41 | 42 | } catch (const std::bad_alloc&) { 43 | return osquery::Status(1, "Memory allocation failure"); 44 | 45 | } catch (const osquery::Status& status) { 46 | return status; 47 | } 48 | } 49 | 50 | DiskDevice::~DiskDevice() { 51 | tsk_img_close(img_info); 52 | } 53 | 54 | TSK_IMG_INFO* DiskDevice::imageInfo() { 55 | return img_info; 56 | } 57 | } // namespace trailofbits 58 | -------------------------------------------------------------------------------- /ntfs_forensics/src/diskdevice.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #include 25 | 26 | #include 27 | 28 | // We use an old sleuthkit which incorrectly define snprintf as _snprintf. 29 | // We should port thirdparty_sleuthkit to Windows and use that eventually. 30 | #undef snprintf 31 | 32 | namespace trailofbits { 33 | class DiskDevice; 34 | using DiskDeviceRef = std::shared_ptr; 35 | 36 | /// This class is a wrapper around the TSK image information type 37 | class DiskDevice final : private boost::noncopyable { 38 | TSK_IMG_INFO* img_info{nullptr}; 39 | 40 | /// Constructs a new object by opening the specified device. Will throw an 41 | /// osquery::Status object in case of error 42 | DiskDevice(const std::string& device_name); 43 | 44 | public: 45 | /// Constructs a new object by opening the specified device. This function 46 | /// never throws an exception 47 | static osquery::Status create(DiskDeviceRef& disk_device, 48 | const std::string& device_name) noexcept; 49 | 50 | /// Destructor 51 | ~DiskDevice(); 52 | 53 | /// Returns the wrapped TSK object 54 | TSK_IMG_INFO* imageInfo(); 55 | }; 56 | } // namespace trailofbits 57 | -------------------------------------------------------------------------------- /ntfs_forensics/src/ntfs_types.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | namespace trailofbits { 24 | struct NTFSMFTFileReference final { 25 | uint64_t inode{0U}; 26 | uint32_t sequence{0U}; 27 | }; 28 | 29 | struct NTFSTimestamp final { 30 | uint64_t btime{0U}; 31 | uint64_t mtime{0U}; 32 | uint64_t ctime{0U}; 33 | uint64_t atime{0U}; 34 | }; 35 | 36 | struct NTFSFileInformationFlags final { 37 | bool read_only{false}; 38 | bool hidden{false}; 39 | bool system{false}; 40 | bool archive{false}; 41 | bool device{false}; 42 | bool normal{false}; 43 | bool temporary{false}; 44 | bool sparse{false}; 45 | bool reparse_point{false}; 46 | bool compressed{false}; 47 | bool offline{false}; 48 | bool unindexed{false}; 49 | bool encrypted{false}; 50 | }; 51 | } // namespace trailofbits 52 | -------------------------------------------------------------------------------- /ntfs_forensics/src/ntfsdirectoryindexentry.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "ntfsdirectoryindexentry.h" 18 | 19 | #include 20 | #include 21 | 22 | namespace trailofbits { 23 | std::string NTFSDirectoryIndexEntry::getStringRep() const { 24 | std::stringstream output; 25 | output << "inode: " << this->mft_ref.inode << "\n" 26 | << "seq: " << this->mft_ref.sequence << "\n" 27 | << "entry_length: " << this->entry_length << "\n" 28 | << "name_length: " << this->name_length << "\n" 29 | << "flags: " << this->flags << "\n" 30 | << "filename: " 31 | << (name_length > 0 ? this->filename.filename : "(no name)") << "\n" 32 | << "child_vcn: " << this->child_vcn << "\n" 33 | << "slack_addr: " << this->slack_addr << "\n"; 34 | 35 | return output.str(); 36 | } 37 | 38 | bool NTFSDirectoryIndexEntry::valid() const { 39 | return filename.valid() && entry_length >= 0x52 && entry_length < 4096 && 40 | flags < 4 && child_vcn < 4096 && name_length < 4096; 41 | } 42 | } // namespace trailofbits -------------------------------------------------------------------------------- /ntfs_forensics/src/ntfsdirectoryindexentry.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | // We use an old sleuthkit which incorrectly define snprintf as _snprintf. 25 | // We should port thirdparty_sleuthkit to Windows and use that eventually. 26 | #undef snprintf 27 | 28 | #include "ntfs_types.h" 29 | #include "ntfsfilenameattributecontents.h" 30 | 31 | namespace trailofbits { 32 | struct NTFSDirectoryIndexEntry final { 33 | NTFSMFTFileReference mft_ref; 34 | NTFSFileNameAttributeContents filename; 35 | 36 | uint16_t entry_length{0U}; 37 | uint16_t name_length{0U}; 38 | uint32_t flags{0U}; 39 | uint64_t child_vcn{0U}; 40 | uint32_t slack_addr{0U}; 41 | 42 | std::string getStringRep() const; 43 | bool valid() const; 44 | }; 45 | 46 | using DirEntryList = std::list; 47 | } // namespace trailofbits 48 | -------------------------------------------------------------------------------- /ntfs_forensics/src/ntfsfileinformation.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | #include "ntfs_types.h" 24 | #include "ntfsfilenameattributecontents.h" 25 | 26 | namespace trailofbits { 27 | struct NTFSFileInformation final { 28 | NTFSTimestamp standard_info_times; 29 | NTFSFileNameAttributeContents filename; 30 | NTFSFileInformationFlags flags; 31 | 32 | std::string name; 33 | std::string path; 34 | std::string parent_path; 35 | std::string sid; 36 | 37 | int type{0}; 38 | int active{0}; 39 | uint32_t flag_val{0U}; 40 | int ads{0}; 41 | size_t size{0U}; 42 | uint64_t inode{0U}; 43 | uint32_t seq{0U}; 44 | uint8_t object_id[16]{0U}; 45 | int uid{0}; 46 | uint32_t gid{0U}; 47 | uint32_t owner_id{0U}; 48 | uint32_t secure_id{0U}; 49 | 50 | std::string getStringRep() const; 51 | }; 52 | 53 | using NTFSFileInformationList = std::list; 54 | 55 | std::string typeNameFromInt(int t); 56 | } // namespace trailofbits -------------------------------------------------------------------------------- /ntfs_forensics/src/ntfsfileinfotable.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | #include 24 | 25 | namespace trailofbits { 26 | /// This is the table plugin for ntfs_file_data 27 | class NTFSFileInfoTablePlugin final : public osquery::TablePlugin { 28 | public: 29 | /// Returns the table schema 30 | osquery::TableColumns columns() const override; 31 | 32 | /// Generates the partition list 33 | osquery::TableRows generate(osquery::QueryContext& request) override; 34 | }; 35 | } // namespace trailofbits 36 | 37 | // Export the class outside the namespace so that osquery can pick it up 38 | using NTFSFileInfoTablePlugin = trailofbits::NTFSFileInfoTablePlugin; 39 | -------------------------------------------------------------------------------- /ntfs_forensics/src/ntfsfilenameattributecontents.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "ntfsfilenameattributecontents.h" 18 | 19 | #include 20 | 21 | namespace trailofbits { 22 | 23 | bool NTFSFileNameAttributeContents::valid() const { 24 | constexpr uint64_t one_year = 25 | 315569520000000ULL; // one year in hunded-nanoseconds 26 | 27 | // the filetime for 1990 is calculated by adding the magic value for 28 | // the number of hundred-nanoseconds between 1601 and 1970 29 | // to 20 times the number of hundred-nanoseconds in a year 30 | constexpr uint64_t _1990 = 116444736000000000ULL + (20ULL * one_year); 31 | 32 | // MicroSoft strongly suggests converting a FILETIME to a ULARGE_INTEGER 33 | // and manipulating its QuadPart 34 | FILETIME current_time; 35 | ::GetSystemTimeAsFileTime(¤t_time); 36 | ULARGE_INTEGER one_year_ahead; 37 | one_year_ahead.LowPart = current_time.dwLowDateTime; 38 | one_year_ahead.HighPart = current_time.dwHighDateTime; 39 | one_year_ahead.QuadPart += one_year; 40 | 41 | return (one_year_ahead.QuadPart > file_name_times.atime) && 42 | (file_name_times.atime > _1990) && 43 | (one_year_ahead.QuadPart > file_name_times.btime) && 44 | (file_name_times.btime > _1990) && 45 | (one_year_ahead.QuadPart > file_name_times.ctime) && 46 | (file_name_times.ctime > _1990) && 47 | (one_year_ahead.QuadPart > file_name_times.mtime) && 48 | (file_name_times.mtime > _1990); 49 | } 50 | } // namespace trailofbits 51 | -------------------------------------------------------------------------------- /ntfs_forensics/src/ntfsfilenameattributecontents.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include "ntfs_types.h" 20 | 21 | namespace trailofbits { 22 | struct NTFSFileNameAttributeContents final { 23 | NTFSMFTFileReference parent; 24 | NTFSTimestamp file_name_times; 25 | std::string filename; 26 | 27 | uint64_t allocated_size{0U}; 28 | uint64_t real_size{0U}; 29 | uint32_t flags{0U}; 30 | uint8_t name_length{0U}; 31 | 32 | bool valid() const; 33 | }; 34 | } // namespace trailofbits -------------------------------------------------------------------------------- /ntfs_forensics/src/ntfsindxtable.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | namespace trailofbits { 25 | /// This is the table plugin for ntfs_indx_data 26 | class NTFSINDXTablePugin final : public osquery::TablePlugin { 27 | public: 28 | /// Returns the table schema 29 | osquery::TableColumns columns() const override; 30 | 31 | /// Generates the partition list 32 | osquery::TableRows generate(osquery::QueryContext& context) override; 33 | }; 34 | } // namespace trailofbits 35 | 36 | // Export the class outside the namespace so that osquery can pick it up 37 | using NTFSINDXTablePugin = trailofbits::NTFSINDXTablePugin; 38 | -------------------------------------------------------------------------------- /ntfs_forensics/src/ntfspartinfotable.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "ntfspartinfotable.h" 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | #include 24 | 25 | #include "diskpartition.h" 26 | 27 | namespace trailofbits { 28 | osquery::TableColumns NTFSPartInfoTablePlugin::columns() const { 29 | // clang-format off 30 | return { 31 | std::make_tuple("device", osquery::TEXT_TYPE, osquery::ColumnOptions::DEFAULT), 32 | std::make_tuple("address", osquery::INTEGER_TYPE, osquery::ColumnOptions::DEFAULT), 33 | std::make_tuple("description", osquery::TEXT_TYPE, osquery::ColumnOptions::DEFAULT) 34 | }; 35 | // clang-format on 36 | } 37 | 38 | osquery::TableRows NTFSPartInfoTablePlugin::generate( 39 | osquery::QueryContext& request) { 40 | static_cast(request); 41 | 42 | osquery::TableRows result; 43 | 44 | for (const auto& part : getPartitionList()) { 45 | osquery::DynamicTableRowHolder r; 46 | 47 | r["device"] = part.device; 48 | r["address"] = std::to_string(part.part_address); 49 | r["description"] = part.descriptor; 50 | 51 | result.emplace_back(r); 52 | } 53 | 54 | return result; 55 | } 56 | } // namespace trailofbits 57 | -------------------------------------------------------------------------------- /ntfs_forensics/src/ntfspartinfotable.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | namespace trailofbits { 25 | /// This is the table plugin for ntfs_part_data 26 | class NTFSPartInfoTablePlugin final : public osquery::TablePlugin { 27 | public: 28 | /// Returns the table schema 29 | osquery::TableColumns columns() const override; 30 | 31 | /// Generates the partition list 32 | osquery::TableRows generate(osquery::QueryContext& request) override; 33 | }; 34 | } // namespace trailofbits 35 | 36 | // Export the class outside the namespace so that osquery can pick it up 37 | using NTFSPartInfoTablePlugin = trailofbits::NTFSPartInfoTablePlugin; 38 | -------------------------------------------------------------------------------- /opt_dependencies/Pcap++/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.12) 2 | project(PcapPlusPlusSubModule) 3 | 4 | set(PCAPPLUSPLUS_ROOT "${CMAKE_CURRENT_SOURCE_DIR}/src") 5 | add_subdirectory(cmake_project) 6 | -------------------------------------------------------------------------------- /opt_dependencies/Pcap++/cmake_project/3rdParty/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.12) 2 | project(3rdParty) 3 | 4 | add_subdirectory(EndianPortable) 5 | add_subdirectory(LightPcapNg/LightPcapNg) 6 | -------------------------------------------------------------------------------- /opt_dependencies/Pcap++/cmake_project/3rdParty/EndianPortable/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.12) 2 | project(EndianPortable) 3 | 4 | function(EndianPortableMain) 5 | set(public_headers_folder "${PCAPPLUSPLUS_ROOT}/3rdParty/EndianPortable/include") 6 | 7 | add_library("${PROJECT_NAME}" INTERFACE) 8 | target_include_directories("${PROJECT_NAME}" SYSTEM INTERFACE ${public_headers_folder}) 9 | endfunction() 10 | 11 | EndianPortableMain() 12 | -------------------------------------------------------------------------------- /opt_dependencies/Pcap++/cmake_project/3rdParty/LightPcapNg/LightPcapNg/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.12) 2 | project(light_pcapng) 3 | 4 | function(LightPcapNgMain) 5 | set(public_headers_folder "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/include") 6 | 7 | set(public_header_files 8 | "${public_headers_folder}/light_debug.h" 9 | "${public_headers_folder}/light_internal.h" 10 | "${public_headers_folder}/light_pcapng_ext.h" 11 | "${public_headers_folder}/light_pcapng.h" 12 | "${public_headers_folder}/light_platform.h" 13 | "${public_headers_folder}/light_special.h" 14 | "${public_headers_folder}/light_types.h" 15 | "${public_headers_folder}/light_util.h" 16 | ) 17 | 18 | set(source_files 19 | "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/src/light_advanced.c" 20 | "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/src/light_alloc.c" 21 | "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/src/light_internal.c" 22 | "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/src/light_io.c" 23 | "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/src/light_manipulate.c" 24 | "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/src/light_option.c" 25 | "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c" 26 | "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng_cont.c" 27 | "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng_ext.c" 28 | "${PCAPPLUSPLUS_ROOT}/3rdParty/LightPcapNg/LightPcapNg/src/light_platform.c" 29 | ) 30 | 31 | set(public_include_folders 32 | "${public_headers_folder}" 33 | ) 34 | 35 | add_library("${PROJECT_NAME}" STATIC ${source_files} ${public_header_files}) 36 | target_compile_options("${PROJECT_NAME}" PRIVATE -Wno-error) 37 | target_include_directories("${PROJECT_NAME}" SYSTEM PUBLIC ${public_include_folders}) 38 | endfunction() 39 | 40 | LightPcapNgMain() 41 | -------------------------------------------------------------------------------- /opt_dependencies/Pcap++/cmake_project/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.12) 2 | project(PcapPlusPlus) 3 | 4 | function(ImportPcapPlusPlus) 5 | if(NOT PCAPPLUSPLUS_ROOT) 6 | message(SEND_ERROR "The PCAPPLUSPLUS_ROOT variable was not defined") 7 | else() 8 | add_subdirectory("3rdParty") 9 | add_subdirectory("Common++") 10 | add_subdirectory("Pcap++") 11 | add_subdirectory("Packet++") 12 | endif() 13 | endfunction() 14 | 15 | ImportPcapPlusPlus() 16 | -------------------------------------------------------------------------------- /opt_dependencies/Pcap++/cmake_project/Common++/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.12) 2 | project(Common++) 3 | 4 | function(CommonPlusPlusMain) 5 | set(public_headers_folder "${PCAPPLUSPLUS_ROOT}/Common++/header") 6 | 7 | set(public_header_files 8 | "${public_headers_folder}/GeneralUtils.h" 9 | "${public_headers_folder}/IpAddress.h" 10 | "${public_headers_folder}/IpUtils.h" 11 | "${public_headers_folder}/Logger.h" 12 | "${public_headers_folder}/LRUList.h" 13 | "${public_headers_folder}/MacAddress.h" 14 | "${public_headers_folder}/PcapPlusPlusVersion.h" 15 | "${public_headers_folder}/PlatformSpecificUtils.h" 16 | "${public_headers_folder}/PointerVector.h" 17 | "${public_headers_folder}/SystemUtils.h" 18 | "${public_headers_folder}/TablePrinter.h" 19 | ) 20 | 21 | set(source_files 22 | "${PCAPPLUSPLUS_ROOT}/Common++/src/GeneralUtils.cpp" 23 | "${PCAPPLUSPLUS_ROOT}/Common++/src/IpAddress.cpp" 24 | "${PCAPPLUSPLUS_ROOT}/Common++/src/IpUtils.cpp" 25 | "${PCAPPLUSPLUS_ROOT}/Common++/src/Logger.cpp" 26 | "${PCAPPLUSPLUS_ROOT}/Common++/src/MacAddress.cpp" 27 | "${PCAPPLUSPLUS_ROOT}/Common++/src/PcapPlusPlusVersion.cpp" 28 | "${PCAPPLUSPLUS_ROOT}/Common++/src/SystemUtils.cpp" 29 | "${PCAPPLUSPLUS_ROOT}/Common++/src/TablePrinter.cpp" 30 | ) 31 | 32 | set(public_include_folders 33 | "${public_headers_folder}" 34 | "${PCAPPLUSPLUS_ROOT}/../netinet" 35 | ) 36 | 37 | add_library("${PROJECT_NAME}" STATIC ${source_files} ${public_header_files}) 38 | target_compile_options("${PROJECT_NAME}" PRIVATE -Wno-error) 39 | target_include_directories("${PROJECT_NAME}" SYSTEM PUBLIC ${public_include_folders}) 40 | target_compile_definitions("${PROJECT_NAME}" PUBLIC LINUX) 41 | endfunction() 42 | 43 | CommonPlusPlusMain() 44 | -------------------------------------------------------------------------------- /opt_dependencies/Pcap++/cmake_project/Pcap++/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.12) 2 | project(Pcap++) 3 | 4 | function(PcapPlusPlusMain) 5 | set(public_headers_folder "${PCAPPLUSPLUS_ROOT}/Pcap++/header") 6 | 7 | set(public_header_files 8 | "${public_headers_folder}/Device.h" 9 | "${public_headers_folder}/DpdkDevice.h" 10 | "${public_headers_folder}/DpdkDeviceList.h" 11 | "${public_headers_folder}/NetworkUtils.h" 12 | "${public_headers_folder}/PcapDevice.h" 13 | "${public_headers_folder}/PcapFileDevice.h" 14 | "${public_headers_folder}/PcapFilter.h" 15 | "${public_headers_folder}/PcapLiveDevice.h" 16 | "${public_headers_folder}/PcapLiveDeviceList.h" 17 | "${public_headers_folder}/PcapRemoteDevice.h" 18 | "${public_headers_folder}/PcapRemoteDeviceList.h" 19 | "${public_headers_folder}/PfRingDevice.h" 20 | "${public_headers_folder}/PfRingDeviceList.h" 21 | "${public_headers_folder}/RawSocketDevice.h" 22 | "${public_headers_folder}/WinPcapLiveDevice.h" 23 | ) 24 | 25 | set(source_files 26 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/DpdkDevice.cpp" 27 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/DpdkDeviceList.cpp" 28 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/NetworkUtils.cpp" 29 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/PcapDevice.cpp" 30 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/PcapFileDevice.cpp" 31 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/PcapFilter.cpp" 32 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/PcapLiveDevice.cpp" 33 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/PcapLiveDeviceList.cpp" 34 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/PcapRemoteDevice.cpp" 35 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/PcapRemoteDeviceList.cpp" 36 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/PfRingDevice.cpp" 37 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/PfRingDeviceList.cpp" 38 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/RawSocketDevice.cpp" 39 | "${PCAPPLUSPLUS_ROOT}/Pcap++/src/WinPcapLiveDevice.cpp" 40 | ) 41 | 42 | set(public_include_folders 43 | "${public_headers_folder}" 44 | "${PCAPPLUSPLUS_ROOT}/../netinet" 45 | ) 46 | 47 | add_library("${PROJECT_NAME}" STATIC ${source_files} ${public_header_files}) 48 | target_compile_options("${PROJECT_NAME}" PRIVATE -Wno-error) 49 | target_include_directories("${PROJECT_NAME}" PUBLIC ${public_include_folders}) 50 | target_compile_definitions("${PROJECT_NAME}" PUBLIC LINUX) 51 | target_link_libraries("${PROJECT_NAME}" PUBLIC pcap Common++ Packet++ light_pcapng EndianPortable) 52 | endfunction() 53 | 54 | PcapPlusPlusMain() 55 | -------------------------------------------------------------------------------- /opt_dependencies/Pcap++/netinet/ether.h: -------------------------------------------------------------------------------- 1 | /* Functions for storing Ethernet addresses in ASCII and mapping to hostnames. 2 | Copyright (C) 1996-2018 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #ifndef _NETINET_ETHER_H 20 | #define _NETINET_ETHER_H 1 21 | 22 | #include 23 | 24 | /* Get definition of `struct ether_addr'. */ 25 | #include 26 | 27 | #ifdef __USE_MISC 28 | __BEGIN_DECLS 29 | 30 | /* Convert 48 bit Ethernet ADDRess to ASCII. */ 31 | extern char *ether_ntoa (const struct ether_addr *__addr) __THROW; 32 | extern char *ether_ntoa_r (const struct ether_addr *__addr, char *__buf) 33 | __THROW; 34 | 35 | /* Convert ASCII string S to 48 bit Ethernet address. */ 36 | extern struct ether_addr *ether_aton (const char *__asc) __THROW; 37 | extern struct ether_addr *ether_aton_r (const char *__asc, 38 | struct ether_addr *__addr) __THROW; 39 | 40 | /* Map 48 bit Ethernet number ADDR to HOSTNAME. */ 41 | extern int ether_ntohost (char *__hostname, const struct ether_addr *__addr) 42 | __THROW; 43 | 44 | /* Map HOSTNAME to 48 bit Ethernet address. */ 45 | extern int ether_hostton (const char *__hostname, struct ether_addr *__addr) 46 | __THROW; 47 | 48 | /* Scan LINE and set ADDR and HOSTNAME. */ 49 | extern int ether_line (const char *__line, struct ether_addr *__addr, 50 | char *__hostname) __THROW; 51 | 52 | __END_DECLS 53 | #endif /* Use misc. */ 54 | 55 | #endif /* netinet/ether.h */ 56 | -------------------------------------------------------------------------------- /opt_dependencies/Pcap++/netinet/if_fddi.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1997-2018 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, see 16 | . */ 17 | 18 | #ifndef _NETINET_IF_FDDI_H 19 | #define _NETINET_IF_FDDI_H 1 20 | 21 | #include 22 | #include 23 | #include 24 | 25 | #ifdef __USE_MISC 26 | 27 | struct fddi_header { 28 | uint8_t fddi_fc; /* Frame Control (FC) value */ 29 | uint8_t fddi_dhost[FDDI_K_ALEN]; /* Destination host */ 30 | uint8_t fddi_shost[FDDI_K_ALEN]; /* Source host */ 31 | }; 32 | #endif 33 | 34 | #endif /* netinet/if_fddi.h */ 35 | -------------------------------------------------------------------------------- /opt_dependencies/Pcap++/netinet/in_systm.h: -------------------------------------------------------------------------------- 1 | /* System specific type definitions for networking code. 2 | Copyright (C) 1997-2018 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #ifndef _NETINET_IN_SYSTM_H 20 | #define _NETINET_IN_SYSTM_H 1 21 | 22 | #include 23 | #include 24 | 25 | __BEGIN_DECLS 26 | 27 | /* 28 | * Network order versions of various data types. Unfortunately, BSD 29 | * assumes specific sizes for shorts (16 bit) and longs (32 bit) which 30 | * don't hold in general. As a consequence, the network order versions 31 | * may not reflect the actual size of the native data types. 32 | */ 33 | 34 | typedef uint16_t n_short; /* short as received from the net */ 35 | typedef uint32_t n_long; /* long as received from the net */ 36 | typedef uint32_t n_time; /* ms since 00:00 GMT, byte rev */ 37 | 38 | __END_DECLS 39 | 40 | #endif /* netinet/in_systm.h */ 41 | -------------------------------------------------------------------------------- /opt_dependencies/json11/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.12) 2 | project(json11) 3 | 4 | function(json11Main) 5 | set(source_files 6 | src/json11.hpp 7 | src/json11.cpp 8 | ) 9 | 10 | add_library("${PROJECT_NAME}" STATIC ${source_files}) 11 | 12 | target_include_directories("${PROJECT_NAME}" PUBLIC 13 | "${CMAKE_CURRENT_SOURCE_DIR}/src" 14 | ) 15 | 16 | target_link_libraries("${PROJECT_NAME}" PUBLIC 17 | osquery_cxx_settings 18 | ) 19 | endfunction() 20 | 21 | json11Main() 22 | 23 | -------------------------------------------------------------------------------- /santa/.platforms: -------------------------------------------------------------------------------- 1 | APPLE -------------------------------------------------------------------------------- /santa/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.10) 16 | project(santa) 17 | 18 | function(SantaMain) 19 | set(project_common_source_files 20 | src/santa.h 21 | src/santa.cpp 22 | 23 | src/utils.h 24 | src/utils.cpp 25 | ) 26 | 27 | if(DEFINED PLATFORM_MACOS) 28 | set(project_libraries thirdparty_boost) 29 | endif() 30 | 31 | addOsqueryExtensionEx("SantaRulesTablePlugin" "table" "santa_rules" 32 | SOURCES ${project_common_source_files} src/santarulestable.h src/santarulestable.cpp 33 | INCLUDEDIRS "${CMAKE_CURRENT_SOURCE_DIR}/src" 34 | MAININCLUDES santarulestable.h 35 | LIBRARIES ${project_libraries} 36 | ) 37 | 38 | addOsqueryExtensionEx("SantaAllowedDecisionsTablePlugin" "table" "santa_allowed" 39 | SOURCES ${project_common_source_files} src/santadecisionstable.h src/santadecisionstable.cpp 40 | INCLUDEDIRS "${CMAKE_CURRENT_SOURCE_DIR}/src" 41 | MAININCLUDES santadecisionstable.h 42 | LIBRARIES ${project_libraries} 43 | ) 44 | 45 | addOsqueryExtensionEx("SantaDeniedDecisionsTablePlugin" "table" "santa_denied" 46 | SOURCES ${project_common_source_files} src/santadecisionstable.h src/santadecisionstable.cpp 47 | INCLUDEDIRS "${CMAKE_CURRENT_SOURCE_DIR}/src" 48 | MAININCLUDES santadecisionstable.h 49 | LIBRARIES ${project_libraries} 50 | ) 51 | endfunction() 52 | 53 | SantaMain() 54 | -------------------------------------------------------------------------------- /santa/src/santa.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | enum SantaDecisionType { 23 | kAllowed, 24 | kDenied, 25 | }; 26 | 27 | struct LogEntry final { 28 | std::string timestamp; 29 | std::string application; 30 | std::string reason; 31 | std::string sha256; 32 | }; 33 | 34 | struct RuleEntry final { 35 | enum class Type { Binary, Certificate, Unknown }; 36 | enum class State { Whitelist, Blacklist, Unknown }; 37 | 38 | Type type; 39 | State state; 40 | std::string shasum; 41 | std::string custom_message; 42 | }; 43 | 44 | using LogEntries = std::list; 45 | using RuleEntries = std::list; 46 | 47 | const char* getRuleTypeName(RuleEntry::Type type); 48 | const char* getRuleStateName(RuleEntry::State state); 49 | 50 | RuleEntry::Type getTypeFromRuleName(const char* name); 51 | RuleEntry::State getStateFromRuleName(const char* name); 52 | 53 | bool scrapeSantaLog(LogEntries& response, SantaDecisionType decision); 54 | bool collectSantaRules(RuleEntries& response); 55 | -------------------------------------------------------------------------------- /santa/src/santadecisionstable.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | #include "santa.h" 21 | #include "santadecisionstable.h" 22 | 23 | osquery::TableColumns decisionTablesColumns() { 24 | // clang-format off 25 | return { 26 | std::make_tuple("timestamp", 27 | osquery::TEXT_TYPE, 28 | osquery::ColumnOptions::DEFAULT), 29 | 30 | std::make_tuple("path", 31 | osquery::TEXT_TYPE, 32 | osquery::ColumnOptions::DEFAULT), 33 | 34 | std::make_tuple("shasum", 35 | osquery::TEXT_TYPE, 36 | osquery::ColumnOptions::DEFAULT), 37 | 38 | std::make_tuple("reason", 39 | osquery::TEXT_TYPE, 40 | osquery::ColumnOptions::DEFAULT) 41 | }; 42 | // clang-format on 43 | } 44 | 45 | osquery::TableRows decisionTablesGenerate(osquery::QueryContext& request, 46 | SantaDecisionType decision) { 47 | LogEntries log_entries; 48 | if (!scrapeSantaLog(log_entries, decision)) { 49 | return {}; 50 | } 51 | 52 | osquery::TableRows result; 53 | for (const auto& entry : log_entries) { 54 | osquery::DynamicTableRowHolder row; 55 | row["timestamp"] = entry.timestamp; 56 | row["path"] = entry.application; 57 | row["shasum"] = entry.sha256; 58 | row["reason"] = entry.reason; 59 | 60 | result.emplace_back(row); 61 | } 62 | 63 | return result; 64 | } 65 | 66 | osquery::TableRows SantaAllowedDecisionsTablePlugin::generate( 67 | osquery::QueryContext& request) { 68 | auto rows = decisionTablesGenerate(request, decision); 69 | return rows; 70 | } 71 | 72 | osquery::TableRows SantaDeniedDecisionsTablePlugin::generate( 73 | osquery::QueryContext& request) { 74 | auto rows = decisionTablesGenerate(request, decision); 75 | return rows; 76 | } 77 | 78 | osquery::TableColumns SantaAllowedDecisionsTablePlugin::columns() const { 79 | return decisionTablesColumns(); 80 | } 81 | 82 | osquery::TableColumns SantaDeniedDecisionsTablePlugin::columns() const { 83 | return decisionTablesColumns(); 84 | } 85 | -------------------------------------------------------------------------------- /santa/src/santadecisionstable.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #include "santa.h" 22 | 23 | class SantaAllowedDecisionsTablePlugin final : public osquery::TablePlugin { 24 | private: 25 | static const SantaDecisionType decision = kAllowed; 26 | osquery::TableColumns columns() const override; 27 | 28 | osquery::TableRows generate(osquery::QueryContext& request) override; 29 | }; 30 | 31 | class SantaDeniedDecisionsTablePlugin final : public osquery::TablePlugin { 32 | private: 33 | static const SantaDecisionType decision = kDenied; 34 | osquery::TableColumns columns() const override; 35 | 36 | osquery::TableRows generate(osquery::QueryContext& request) override; 37 | }; 38 | -------------------------------------------------------------------------------- /santa/src/santarulestable.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | class SantaRulesTablePlugin final : public osquery::TablePlugin { 22 | private: 23 | struct PrivateData; 24 | std::unique_ptr d; 25 | 26 | static osquery::Status GetRowData(osquery::Row& row, 27 | const std::string& json_value_array); 28 | 29 | public: 30 | SantaRulesTablePlugin(); 31 | virtual ~SantaRulesTablePlugin(); 32 | 33 | private: 34 | virtual osquery::TableColumns columns() const override; 35 | 36 | virtual osquery::TableRows generate(osquery::QueryContext& request) override; 37 | 38 | virtual osquery::QueryData insert( 39 | osquery::QueryContext& context, 40 | const osquery::PluginRequest& request) override; 41 | 42 | virtual osquery::QueryData delete_( 43 | osquery::QueryContext& context, 44 | const osquery::PluginRequest& request) override; 45 | 46 | virtual osquery::QueryData update( 47 | osquery::QueryContext& context, 48 | const osquery::PluginRequest& request) override; 49 | 50 | osquery::Status updateRules(); 51 | }; 52 | -------------------------------------------------------------------------------- /santa/src/utils.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "utils.h" 18 | 19 | #include 20 | #include 21 | 22 | namespace boostproc = boost::process; 23 | namespace boostasio = boost::asio; 24 | 25 | bool ExecuteProcess(ProcessOutput& output, 26 | const std::string& path, 27 | const std::vector& args) { 28 | output = {}; 29 | 30 | try { 31 | std::future process_stdout; 32 | std::future process_stderr; 33 | 34 | boostasio::io_service io_service; 35 | 36 | // clang-format off 37 | boostproc::child process( 38 | path, boostproc::args(args), 39 | boostproc::std_out > process_stdout, 40 | boostproc::std_err > process_stderr, 41 | io_service 42 | ); 43 | // clang-format on 44 | 45 | io_service.run(); 46 | 47 | output.std_output = process_stdout.get(); 48 | output.std_error = process_stderr.get(); 49 | output.exit_code = process.exit_code(); 50 | 51 | return true; 52 | 53 | } catch (...) { 54 | return false; 55 | } 56 | } -------------------------------------------------------------------------------- /santa/src/utils.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | #include 21 | 22 | struct ProcessOutput final { 23 | std::string std_output; 24 | std::string std_error; 25 | int exit_code; 26 | }; 27 | 28 | bool ExecuteProcess(ProcessOutput& output, 29 | const std::string& path, 30 | const std::vector& args); 31 | -------------------------------------------------------------------------------- /windows_sync_objects/.platforms: -------------------------------------------------------------------------------- 1 | WINDOWS 2 | -------------------------------------------------------------------------------- /windows_sync_objects/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018 Trail of Bits, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required(VERSION 3.10) 16 | project(windows_sync_objects) 17 | 18 | function(windows_sync_objects_main) 19 | set(project_common_source_files 20 | src/winapi.h 21 | 22 | src/objectmanager.h 23 | src/objectmanager.cpp 24 | 25 | src/windowssyncobjects.h 26 | src/windowssyncobjects.cpp 27 | ) 28 | 29 | set(project_include_dirs 30 | "${TOB_EXTENSIONS_ROOT}" 31 | "${CMAKE_CURRENT_SOURCE_DIR}/src" 32 | ) 33 | 34 | addOsqueryExtensionEx("WindowsSyncObjectsTablePlugin" "table" "windows_sync_objects" 35 | SOURCES ${project_common_source_files} 36 | INCLUDEDIRS ${project_include_dirs} 37 | MAININCLUDES windowssyncobjects.h 38 | LIBRARIES 39 | ) 40 | endfunction() 41 | 42 | windows_sync_objects_main() 43 | -------------------------------------------------------------------------------- /windows_sync_objects/README.md: -------------------------------------------------------------------------------- 1 | # windows_sync_objects Extension 2 | 3 | This extension provides a list of all mutants, semaphores and events on the system. Additionally, the user is able to create and destroy his own objects using INSERT and DELETE queries. 4 | 5 | **Note**: with more recent versions of osquery, you must pass the `--extensions_default_index=false` option (or set the appropriate option in a configuration file. Otherwise all `INSERT` and `UPDATE` statements will fail with `Error: datatype mismatch` errors. 6 | 7 | ## Schema 8 | 9 | | Column | Type | Description | 10 | |----------------|------|------------------------------------------------| 11 | | type | TEXT | Either Mutant, Event or Semaphore | 12 | | path | TEXT | The folder path | 13 | | name | TEXT | The object name | 14 | | field1_name | TEXT | Name for custom field 1 | 15 | | field1_value | TEXT | Value for custom field 1 | 16 | | field2_name | TEXT | Name for custom field 2 | 17 | | field2_value | TEXT | Value for custom field 2 | 18 | | field3_name | TEXT | Name for custom field 3 | 19 | | field3_value | TEXT | Value for custom field 3 | 20 | 21 | ### Event objects 22 | 1. **field1**: Notification or Synchronization. 23 | 2. **field2**: Signaled 24 | 25 | ### Mutant objects 26 | 1. **field1**: CurrentCount 27 | 2. **field2**: OwnedByCaller 28 | 3. **field3**: AbandonedState 29 | 30 | ### Semaphore objects 31 | 1. **field1**: CurrentCount 32 | 2. **field2**: MaximumCount 33 | 34 | 35 | ## Usage 36 | 37 | ### Creating a new mutant object 38 | ``` sql 39 | INSERT INTO windows_sync_objects 40 | (type, path, name) 41 | 42 | VALUES 43 | ('Mutant', '\BaseNamedObjects', 'trailofbits_mutex'); 44 | ``` 45 | 46 | ### Removing an object 47 | 48 | ``` sql 49 | DELETE FROM windows_sync_objects 50 | WHERE name = 'trailofbits_mutex'; 51 | ``` 52 | 53 | ## License 54 | The code in this repository is licensed under the [Apache 2.0 license](../LICENSE). 55 | -------------------------------------------------------------------------------- /windows_sync_objects/src/objectmanager.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #include 22 | 23 | namespace trailofbits { 24 | struct ObjectDescriptor final { 25 | enum class Type { Semaphore, Mutant, Event }; 26 | 27 | struct EventData final { 28 | enum class Type { Unknown, NotificationEvent, SynchronizationEvent }; 29 | 30 | Type type; 31 | bool signaled; 32 | }; 33 | 34 | struct MutantData final { 35 | std::int32_t current_count; 36 | bool owned_by_caller; 37 | bool abandoned_state; 38 | }; 39 | 40 | struct SemaphoreData final { 41 | std::uint32_t current_count; 42 | std::uint32_t maximum_count; 43 | }; 44 | 45 | std::string path; 46 | std::string name; 47 | Type type; 48 | 49 | union { 50 | EventData event_data; 51 | MutantData mutant_data; 52 | SemaphoreData semaphore_data; 53 | }; 54 | }; 55 | 56 | using MutantHandle = void*; 57 | using SemaphoreHandle = void*; 58 | using EventHandle = void*; 59 | 60 | using EnumObObjectsCallback = 61 | bool (*)(const ObjectDescriptor& object_descriptor, void* user_defined); 62 | 63 | enum class EventType { Notification, Synchronization }; 64 | 65 | void EnumObObjects(EnumObObjectsCallback callback, void* user_defined); 66 | 67 | osquery::Status GenerateMutant(MutantHandle& handle, 68 | const std::string& path, 69 | const std::string& name); 70 | 71 | bool DestroyMutant(MutantHandle handle); 72 | 73 | osquery::Status GenerateEvent(EventHandle& handle, 74 | const std::string& path, 75 | const std::string& name, 76 | EventType type); 77 | 78 | bool DestroyEvent(EventHandle handle); 79 | 80 | osquery::Status GenerateSemaphore(SemaphoreHandle& handle, 81 | const std::string& path, 82 | const std::string& name); 83 | 84 | bool DestroySemaphore(SemaphoreHandle handle); 85 | } // namespace trailofbits 86 | -------------------------------------------------------------------------------- /windows_sync_objects/src/windowssyncobjects.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2018 Trail of Bits, Inc. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #pragma once 18 | 19 | #include 20 | 21 | #include 22 | 23 | namespace trailofbits { 24 | class WindowsSyncObjectsTable final : public osquery::TablePlugin { 25 | public: 26 | WindowsSyncObjectsTable(); 27 | virtual ~WindowsSyncObjectsTable(); 28 | 29 | /// Returns the table schema 30 | osquery::TableColumns columns() const; 31 | 32 | /// Generates the table rows 33 | osquery::TableRows generate(osquery::QueryContext& context); 34 | 35 | /// Inserts a new synchronization object into the table 36 | osquery::QueryData insert(osquery::QueryContext& context, 37 | const osquery::PluginRequest& request); 38 | 39 | /// Deletes an existing synchronization object from the table; only objects 40 | /// created by this extension can be removed 41 | osquery::QueryData delete_(osquery::QueryContext& context, 42 | const osquery::PluginRequest& request); 43 | 44 | /// As updates are not supported, this method returns an error 45 | osquery::QueryData update(osquery::QueryContext& context, 46 | const osquery::PluginRequest& request); 47 | 48 | private: 49 | struct PrivateData; 50 | 51 | /// Private class data 52 | std::unique_ptr d; 53 | 54 | /// Deserializes the JSON data received from osquery 55 | osquery::Status GetRowData(osquery::Row& row, 56 | const std::string& json_value_array); 57 | }; 58 | } // namespace trailofbits 59 | 60 | // Export the class outside the namespace so that osquery can pick it up 61 | using WindowsSyncObjectsTablePlugin = trailofbits::WindowsSyncObjectsTable; 62 | --------------------------------------------------------------------------------