Added a remapping export to Windows.Registry.NTUser (#2170)

This makes it easy to automate raw registry parsing for any registry artifacts by making it trivial to remap the raw hives into the VQL scope - reusing the same VQL. Also added a usage example with Windows.Registry.Sysinternals.Eulacheck
Velocidex · Oct 20, 2022 · 75f39f8 · 75f39f8
1 parent be6d1f0
commit 75f39f8
Show file tree

Hide file tree

Showing 23 changed files with 367 additions and 258 deletions.
diff --git a/api/api.go b/api/api.go
diff --git a/api/artifacts.go b/api/artifacts.go
@@ -19,7 +19,6 @@ package api
 
 import (
 	"bytes"
-	"errors"
 	"fmt"
 	"io/ioutil"
 	"regexp"
@@ -116,7 +115,7 @@ func setArtifactFile(config_obj *config_proto.Config, principal string,
 
 	manager, err := services.GetRepositoryManager(config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(config_obj.Verbose, err)
 	}
 
 	switch in.Op {
@@ -127,11 +126,11 @@ func setArtifactFile(config_obj *config_proto.Config, principal string,
 		artifact_definition, err := tmp_repository.LoadYaml(
 			in.Artifact, true /* validate */, false /* built_in */)
 		if err != nil {
-			return nil, err
+			return nil, Status(config_obj.Verbose, err)
 		}
 
 		if !strings.HasPrefix(artifact_definition.Name, required_prefix) {
-			return nil, errors.New(
+			return nil, InvalidStatus(
 				"Modified or custom artifact names must start with '" +
 					required_prefix + "'")
 		}
@@ -144,7 +143,7 @@ func setArtifactFile(config_obj *config_proto.Config, principal string,
 			config_obj, principal, in.Artifact, required_prefix)
 	}
 
-	return nil, errors.New("Unknown op")
+	return nil, InvalidStatus("Unknown op")
 }
 
 func getReportArtifacts(
@@ -160,17 +159,17 @@ func getReportArtifacts(
 
 	manager, err := services.GetRepositoryManager(config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(config_obj.Verbose, err)
 	}
 	repository, err := manager.GetGlobalRepository(config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(config_obj.Verbose, err)
 	}
 
 	result := &artifacts_proto.ArtifactDescriptors{}
 	names, err := repository.List(ctx, config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(config_obj.Verbose, err)
 	}
 	for _, name := range names {
 		artifact, pres := repository.Get(config_obj, name)
@@ -200,7 +199,7 @@ func searchArtifact(
 	*artifacts_proto.ArtifactDescriptors, error) {
 
 	if config_obj.GUI == nil {
-		return nil, errors.New("GUI not configured")
+		return nil, InvalidStatus("GUI not configured")
 	}
 
 	name_filter_regexp := config_obj.GUI.ArtifactSearchFilter
@@ -243,16 +242,16 @@ func searchArtifact(
 
 	manager, err := services.GetRepositoryManager(config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(config_obj.Verbose, err)
 	}
 	repository, err := manager.GetGlobalRepository(config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(config_obj.Verbose, err)
 	}
 
 	names, err := repository.List(ctx, config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(config_obj.Verbose, err)
 	}
 
 	for _, name := range names {
@@ -309,7 +308,7 @@ func (self *ApiServer) LoadArtifactPack(
 	users_manager := services.GetUserManager()
 	user_record, org_config_obj, err := users_manager.GetUserFromContext(ctx)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	user_name := user_record.Name
@@ -326,7 +325,7 @@ func (self *ApiServer) LoadArtifactPack(
 	buffer := bytes.NewReader(in.Data)
 	zip_reader, err := zip.NewReader(buffer, int64(len(in.Data)))
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	for _, file := range zip_reader.File {

diff --git a/api/clients.go b/api/clients.go
@@ -42,7 +42,7 @@ func (self *ApiServer) GetClientMetadata(
 	users := services.GetUserManager()
 	user_record, org_config_obj, err := users.GetUserFromContext(ctx)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	user_name := user_record.Name
@@ -60,7 +60,7 @@ func (self *ApiServer) GetClientMetadata(
 	client_path_manager := paths.NewClientPathManager(in.ClientId)
 	db, err := datastore.GetDB(org_config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	result := &api_proto.ClientMetadata{}
@@ -79,7 +79,7 @@ func (self *ApiServer) SetClientMetadata(
 	users := services.GetUserManager()
 	user_record, org_config_obj, err := users.GetUserFromContext(ctx)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	user_name := user_record.Name
@@ -93,7 +93,7 @@ func (self *ApiServer) SetClientMetadata(
 	client_path_manager := paths.NewClientPathManager(in.ClientId)
 	db, err := datastore.GetDB(org_config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	err = db.SetSubject(org_config_obj, client_path_manager.Metadata(), in)
@@ -107,7 +107,7 @@ func (self *ApiServer) GetClient(
 	users := services.GetUserManager()
 	user_record, org_config_obj, err := users.GetUserFromContext(ctx)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	user_name := user_record.Name
@@ -120,14 +120,14 @@ func (self *ApiServer) GetClient(
 
 	indexer, err := services.GetIndexer(org_config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	// Update the user's MRU
 	if in.UpdateMru {
 		err = indexer.UpdateMRU(org_config_obj, user_name, in.ClientId)
 		if err != nil {
-			return nil, err
+			return nil, Status(self.verbose, err)
 		}
 	}
 
@@ -141,7 +141,7 @@ func (self *ApiServer) GetClient(
 			// Wait up to 2 seconds to find out if clients are connected.
 			notifier, err := services.GetNotifier(org_config_obj)
 			if err != nil {
-				return nil, err
+				return nil, Status(self.verbose, err)
 			}
 			if notifier.IsClientConnected(ctx,
 				org_config_obj, in.ClientId, 2) {
@@ -160,7 +160,7 @@ func (self *ApiServer) GetClientFlows(
 	users := services.GetUserManager()
 	user_record, org_config_obj, err := users.GetUserFromContext(ctx)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	user_name := user_record.Name
@@ -178,7 +178,7 @@ func (self *ApiServer) GetClientFlows(
 	if in.Artifact != "" {
 		regex, err := regexp.Compile(in.Artifact)
 		if err != nil {
-			return nil, err
+			return nil, Status(self.verbose, err)
 		}
 
 		filter = func(flow *flows_proto.ArtifactCollectorContext) bool {
@@ -197,7 +197,7 @@ func (self *ApiServer) GetClientFlows(
 
 	launcher, err := services.GetLauncher(org_config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	return launcher.GetFlows(org_config_obj, in.ClientId,

diff --git a/api/datastore.go b/api/datastore.go
@@ -25,13 +25,13 @@ func (self *ApiServer) GetSubject(
 	users := services.GetUserManager()
 	user_record, org_config_obj, err := users.GetUserFromContext(ctx)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	user_name := user_record.Name
 	token, err := acls.GetEffectivePolicy(org_config_obj, user_name)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	perm, err := acls.CheckAccessWithToken(token, acls.DATASTORE_ACCESS)
@@ -44,18 +44,18 @@ func (self *ApiServer) GetSubject(
 	if token.SuperUser && org_config_obj.OrgId != in.OrgId {
 		org_manager, err := services.GetOrgManager()
 		if err != nil {
-			return nil, err
+			return nil, Status(self.verbose, err)
 		}
 
 		org_config_obj, err = org_manager.GetOrgConfig(in.OrgId)
 		if err != nil {
-			return nil, err
+			return nil, Status(self.verbose, err)
 		}
 	}
 
 	db, err := datastore.GetDB(org_config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	raw_db, ok := db.(datastore.RawDataStore)
@@ -77,13 +77,13 @@ func (self *ApiServer) SetSubject(
 	users := services.GetUserManager()
 	user_record, org_config_obj, err := users.GetUserFromContext(ctx)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	user_name := user_record.Name
 	token, err := acls.GetEffectivePolicy(org_config_obj, user_name)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	perm, err := acls.CheckAccessWithToken(token, acls.DATASTORE_ACCESS)
@@ -96,18 +96,18 @@ func (self *ApiServer) SetSubject(
 	if token.SuperUser && org_config_obj.OrgId != in.OrgId {
 		org_manager, err := services.GetOrgManager()
 		if err != nil {
-			return nil, err
+			return nil, Status(self.verbose, err)
 		}
 
 		org_config_obj, err = org_manager.GetOrgConfig(in.OrgId)
 		if err != nil {
-			return nil, err
+			return nil, Status(self.verbose, err)
 		}
 	}
 
 	db, err := datastore.GetDB(org_config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	raw_db, ok := db.(datastore.RawDataStore)
@@ -141,13 +141,13 @@ func (self *ApiServer) ListChildren(
 	users := services.GetUserManager()
 	user_record, org_config_obj, err := users.GetUserFromContext(ctx)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	user_name := user_record.Name
 	token, err := acls.GetEffectivePolicy(org_config_obj, user_name)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	perm, err := acls.CheckAccessWithToken(token, acls.DATASTORE_ACCESS)
@@ -161,23 +161,23 @@ func (self *ApiServer) ListChildren(
 	if token.SuperUser && org_config_obj.OrgId != in.OrgId {
 		org_manager, err := services.GetOrgManager()
 		if err != nil {
-			return nil, err
+			return nil, Status(self.verbose, err)
 		}
 
 		org_config_obj, err = org_manager.GetOrgConfig(in.OrgId)
 		if err != nil {
-			return nil, err
+			return nil, Status(self.verbose, err)
 		}
 	}
 
 	db, err := datastore.GetDB(org_config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	children, err := db.ListChildren(org_config_obj, getURN(in))
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	result := &api_proto.ListChildrenResponse{}
@@ -200,13 +200,13 @@ func (self *ApiServer) DeleteSubject(
 	users := services.GetUserManager()
 	user_record, org_config_obj, err := users.GetUserFromContext(ctx)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	user_name := user_record.Name
 	token, err := acls.GetEffectivePolicy(org_config_obj, user_name)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	perm, err := acls.CheckAccessWithToken(token, acls.DATASTORE_ACCESS)
@@ -218,17 +218,17 @@ func (self *ApiServer) DeleteSubject(
 	if token.SuperUser && org_config_obj.OrgId != in.OrgId {
 		org_manager, err := services.GetOrgManager()
 		if err != nil {
-			return nil, err
+			return nil, Status(self.verbose, err)
 		}
 
 		org_config_obj, err = org_manager.GetOrgConfig(in.OrgId)
 		if err != nil {
-			return nil, err
+			return nil, Status(self.verbose, err)
 		}
 	}
 	db, err := datastore.GetDB(org_config_obj)
 	if err != nil {
-		return nil, err
+		return nil, Status(self.verbose, err)
 	}
 
 	return &emptypb.Empty{}, db.DeleteSubject(org_config_obj, getURN(in))