Etw service (Velocidex#3069)

Changed watch_etw to support multiple providers under a single session.
Should address issue Velocidex#2944 .

---------

Co-authored-by: Mike Cohen <mike@velocidex.com>

artifacts/testdata/windows/etw.in.yaml

@@ -0,0 +1,59 @@
+Parameters:
+  GUID1: "{70eb4f03-c1de-4f73-a051-33d13d5413bd}"
+  GUID2: '{A669021C-C450-4609-A035-5AF59AF4DF18}'
+
+Queries:
+  - LET SessionExists = SELECT Stdout =~ "VeloTest2"
+    FROM execve(argv=["logman", "query", "-ets"])
+
+  # Check that two queries for the same provider apply 2 watchers.
+  - SELECT ProviderGUID, {
+        SELECT * FROM profile(type="ETW")
+        WHERE SessionName =~ "VeloTest2"
+    } AS Profile, SessionExists[0]
+    FROM chain(async=TRUE,
+      a={
+         SELECT * FROM watch_etw(guid=GUID1, name="VeloTest2", timeout=5)
+      }, b={
+         SELECT * FROM watch_etw(guid=GUID1, name="VeloTest2", timeout=5)
+      })
+    WHERE Profile.Watchers = 2
+    LIMIT 1
+
+  - SELECT sleep(time=1) FROM scope()
+
+  # Now Check that session is removed.
+  - SELECT * FROM profile(type="ETW") WHERE SessionName =~ "VeloTest2"
+
+  # Now Check two queries to different proviers
+  - SELECT {
+      SELECT * FROM profile(type="ETW")
+      WHERE SessionName =~ "VeloTest2"
+      ORDER BY GUID
+    } AS Profile, SessionExists[0]
+    FROM chain(async=TRUE,
+      a={
+         SELECT * FROM watch_etw(guid=GUID1, name="VeloTest2", timeout=5)
+      }, b={
+         SELECT * FROM watch_etw(guid=GUID2, name="VeloTest2", timeout=5)
+      })
+    LIMIT 1
+
+  # Check that GUID1 is removed when no one is interested any more
+  - SELECT {
+      SELECT * FROM profile(type="ETW")
+      WHERE SessionName =~ "VeloTest2"
+    } AS Profile, SessionExists[0]
+    FROM chain(async=TRUE,
+      a={
+         SELECT * FROM watch_etw(guid=GUID2, name="VeloTest2", timeout=5)
+      }, b={
+         SELECT * FROM watch_etw(guid=GUID2, name="VeloTest2", timeout=5)
+      })
+    LIMIT 1
+
+  - SELECT sleep(time=1) FROM scope()
+
+  # Now make sure that the session is actually removed when there are
+  # no interested parties.
+  - SELECT * FROM SessionExists

artifacts/testdata/windows/etw.out.yaml

@@ -0,0 +1,54 @@
+LET SessionExists = SELECT Stdout =~ "VeloTest2" FROM execve(argv=["logman", "query", "-ets"])[]SELECT ProviderGUID, { SELECT * FROM profile(type="ETW") WHERE SessionName =~ "VeloTest2" } AS Profile, SessionExists[0] FROM chain(async=TRUE, a={ SELECT * FROM watch_etw(guid=GUID1, name="VeloTest2", timeout=5) }, b={ SELECT * FROM watch_etw(guid=GUID1, name="VeloTest2", timeout=5) }) WHERE Profile.Watchers = 2 LIMIT 1[
+ {
+  "ProviderGUID": "{70EB4F03-C1DE-4F73-A051-33D13D5413BD}",
+  "Profile": {
+   "SessionName": "VeloTest2",
+   "GUID": "{70EB4F03-C1DE-4F73-A051-33D13D5413BD}",
+   "Watchers": 2
+  },
+  "SessionExists[0]": {
+   "Stdout =~ \"VeloTest2\"": true
+  }
+ }
+]SELECT sleep(time=1) FROM scope()[
+ {
+  "sleep(time=1)": true
+ }
+]SELECT * FROM profile(type="ETW") WHERE SessionName =~ "VeloTest2"[]SELECT { SELECT * FROM profile(type="ETW") WHERE SessionName =~ "VeloTest2" ORDER BY GUID } AS Profile, SessionExists[0] FROM chain(async=TRUE, a={ SELECT * FROM watch_etw(guid=GUID1, name="VeloTest2", timeout=5) }, b={ SELECT * FROM watch_etw(guid=GUID2, name="VeloTest2", timeout=5) }) LIMIT 1[
+ {
+  "Profile": [
+   {
+    "SessionName": "VeloTest2",
+    "GUID": "{70EB4F03-C1DE-4F73-A051-33D13D5413BD}",
+    "Watchers": 1
+   },
+   {
+    "SessionName": "VeloTest2",
+    "GUID": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
+    "Watchers": 1
+   }
+  ],
+  "SessionExists[0]": {
+   "Stdout =~ \"VeloTest2\"": true
+  }
+ }
+]SELECT { SELECT * FROM profile(type="ETW") WHERE SessionName =~ "VeloTest2" } AS Profile, SessionExists[0] FROM chain(async=TRUE, a={ SELECT * FROM watch_etw(guid=GUID2, name="VeloTest2", timeout=5) }, b={ SELECT * FROM watch_etw(guid=GUID2, name="VeloTest2", timeout=5) }) LIMIT 1[
+ {
+  "Profile": {
+   "SessionName": "VeloTest2",
+   "GUID": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
+   "Watchers": 2
+  },
+  "SessionExists[0]": {
+   "Stdout =~ \"VeloTest2\"": true
+  }
+ }
+]SELECT sleep(time=1) FROM scope()[
+ {
+  "sleep(time=1)": true
+ }
+]SELECT * FROM SessionExists[
+ {
+  "Stdout =~ \"VeloTest2\"": false
+ }
+]

docs/references/vql.yaml

@@ -391,6 +391,8 @@
     artifact.
   type: Plugin
   category: windows
+  metadata:
+    permissions: MACHINE_STATE
 - name: chain
   description: |
     Chain the output of several queries into the same table.
@@ -2163,6 +2165,8 @@
     description: If specified only get handles of this type.
     repeated: true
   category: windows
+  metadata:
+    permissions: MACHINE_STATE
 - name: hash
   description: |
     Calculate the hash of a file.
@@ -2542,6 +2546,9 @@
   - name: description
     type: string
     description: Update hunt description
+  - name: expires
+    type: time.Time
+    description: Update hunt expiry
   metadata:
     permissions: START_HUNT
 - name: hunts
@@ -3081,7 +3088,14 @@
 - name: lookupSID
   description: Get information about the SID.
   type: Function
+  args:
+  - name: sid
+    type: string
+    description: 'A SID to lookup using LookupAccountSid '
+    required: true
   category: windows
+  metadata:
+    permissions: MACHINE_STATE
 - name: lowcase
   description: Returns the lowercase version of a string.
   type: Function
@@ -3444,6 +3458,8 @@
     description: The PID to dump out.
     required: true
   category: windows
+  metadata:
+    permissions: MACHINE_STATE
 - name: monitoring
   description: Extract monitoring log from a client. If client_id is not specified
     we watch the global journal which contains event logs from all clients.
@@ -4596,6 +4612,8 @@
     description: The PID to dump out.
     required: true
   category: windows
+  metadata:
+    permissions: MACHINE_STATE
 - name: proc_yara
   description: |
     Scan processes using yara rules.
@@ -4780,8 +4798,7 @@
   args:
   - name: pid
     type: int64
-    description: A pid to list. If this is provided we are able to operate much faster
-      by only opening a single process.
+    description: A process ID to list. If not provided list all processes.
   category: plugin
   metadata:
     permissions: MACHINE_STATE
@@ -5965,6 +5982,8 @@
     description: The PID to get the token for.
     required: true
   category: windows
+  metadata:
+    permissions: MACHINE_STATE
 - name: trace
   description: Upload a trace file.
   type: Function
@@ -6624,6 +6643,13 @@
   - name: level
     type: int64
     description: Log level (0-5)
+  - name: stop
+    type: vfilter.Lambda
+    description: If provided we stop watching automatically when this lambda returns
+      true
+  - name: timeout
+    type: uint64
+    description: If provided we stop after this much time
   category: event
 - name: watch_evtx
   description: |
@@ -6711,6 +6737,8 @@
     type: string
     description: Object namespace path.
   category: windows
+  metadata:
+    permissions: MACHINE_STATE
 - name: wmi
   description: |
     Execute simple WMI queries synchronously.
@@ -6730,6 +6758,8 @@
     type: string
     description: The WMI namespace to use (ROOT/CIMV2)
   category: windows
+  metadata:
+    permissions: MACHINE_STATE
 - name: wmi_events
   description: |
     Executes an evented WMI queries asynchronously.
@@ -6750,6 +6780,8 @@
     description: Wait this many seconds for events and then quit.
     required: true
   category: event
+  metadata:
+    permissions: MACHINE_STATE
 - name: write_crypto_file
   description: Write a query into an encrypted local storage file.
   type: Plugin

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/Showmax/go-fqdn v1.0.0
 	github.com/Velocidex/ahocorasick v0.0.0-20180712114356-e1c353eeaaee
 	github.com/Velocidex/amsi v0.0.0-20200608120838-e5d93b76f119
-	github.com/Velocidex/etw v0.0.0-20210723072214-4d0cffd1ff22
+	github.com/Velocidex/etw v0.0.0-20231112235748-6aa453259070
 	github.com/Velocidex/go-elasticsearch/v7 v7.3.1-0.20191001125819-fee0ef9cac6b
 	github.com/Velocidex/go-magic v0.0.0-20211018155418-c5dc48282f28
 	github.com/Velocidex/go-yara v1.1.10-0.20221202090138-c7dde4c43aa4
@@ -82,7 +82,7 @@ require (
 	golang.org/x/crypto v0.14.0
 	golang.org/x/mod v0.10.0
 	golang.org/x/net v0.17.0
-	golang.org/x/sys v0.13.0
+	golang.org/x/sys v0.14.0
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0
 	google.golang.org/api v0.146.0

go.sum

@@ -112,8 +112,8 @@ github.com/Velocidex/chroma v0.6.8-0.20200418131129-82edc291369c h1:ipQHX4FX5HKR
 github.com/Velocidex/chroma v0.6.8-0.20200418131129-82edc291369c/go.mod h1:sko8vR34/90zvl5QdcUdvzL3J8NKjAUx9va9jPuFNoM=
 github.com/Velocidex/errors v0.0.0-20221019164655-9ace6bf61e26 h1:VwbeNpMRuS3bRieg7WLaSYIMaI8RjH/wGxd37oj6H1g=
 github.com/Velocidex/errors v0.0.0-20221019164655-9ace6bf61e26/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
-github.com/Velocidex/etw v0.0.0-20210723072214-4d0cffd1ff22 h1:dDMLVs1Uj4xuKsYH1T/J6W+wJyWeyfmkT9RQq27WzTs=
-github.com/Velocidex/etw v0.0.0-20210723072214-4d0cffd1ff22/go.mod h1:F3/xFKE2Puol7bJKW5xcj/9H2O8n/sJN87Xgm66G6sc=
+github.com/Velocidex/etw v0.0.0-20231112235748-6aa453259070 h1:FfB/6jJgyvpKfSoHctv4gSs1DEFFzfFdK7V5x688wp8=
+github.com/Velocidex/etw v0.0.0-20231112235748-6aa453259070/go.mod h1:F3/xFKE2Puol7bJKW5xcj/9H2O8n/sJN87Xgm66G6sc=
 github.com/Velocidex/file-rotatelogs v0.0.0-20211221020724-d12e4dae4e11 h1:pQY9p6hvmbFKXJg8suzGSG9/t8Ij9ece32GUFIdHgqg=
 github.com/Velocidex/file-rotatelogs v0.0.0-20211221020724-d12e4dae4e11/go.mod h1:Ya1f4Kowt2GC7gbnu1MbNncvI1Lp3i1plN2xLiETJfg=
 github.com/Velocidex/go-elasticsearch/v7 v7.3.1-0.20191001125819-fee0ef9cac6b h1:XaAmLVXrqPv60nbiQtzj5Sch7lwz3XH8x5IocQwRPJg=
@@ -929,8 +929,8 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=