Fixed tests (Velocidex#2177)

Obfuscated malware samples to prevent triggering AV when downloading source code from GitHub.
belasker · Oct 22, 2022 · 32cf17c · 32cf17c
1 parent caddce0
commit 32cf17c
Show file tree

Hide file tree

Showing 16 changed files with 236 additions and 177 deletions.
diff --git a/accessors/raw_registry/raw_registry.go b/accessors/raw_registry/raw_registry.go
@@ -178,17 +178,51 @@ func NewRawValueBuffer(buf string, stat *RawRegValueInfo) *RawValueBuffer {
 	}
 }
 
-type RawRegFileSystemAccessor struct {
+type rawHiveCache struct {
 	mu sync.Mutex
 
 	// Maintain a cache of already parsed hives
 	hive_cache map[string]*regparser.Registry
-	scope      vfilter.Scope
+}
+
+func (self *rawHiveCache) Get(name string) (*regparser.Registry, bool) {
+	self.mu.Lock()
+	defer self.mu.Unlock()
+
+	res, ok := self.hive_cache[name]
+	return res, ok
+}
+
+func (self *rawHiveCache) Set(name string, reg *regparser.Registry) {
+	self.mu.Lock()
+	defer self.mu.Unlock()
+
+	self.hive_cache[name] = reg
+}
 
-	root *accessors.OSPath
+type RawRegFileSystemAccessor struct {
+	scope vfilter.Scope
+	root  *accessors.OSPath
+}
+
+func getRegHiveCache(scope vfilter.Scope) *rawHiveCache {
+	result_any := vql_subsystem.CacheGet(scope, RawRegFileSystemTag)
+	if result_any != nil {
+		cached, ok := result_any.(*rawHiveCache)
+		if ok {
+			return cached
+		}
+	}
+
+	result := &rawHiveCache{
+		hive_cache: make(map[string]*regparser.Registry),
+	}
+	vql_subsystem.CacheSet(scope, RawRegFileSystemTag, result)
+
+	return result
 }
 
-func (self *RawRegFileSystemAccessor) getRegHive(
+func getRegHive(scope vfilter.Scope,
 	file_path *accessors.OSPath) (*regparser.Registry, error) {
 
 	// Cache the parsed hive under the underlying file.
@@ -199,43 +233,44 @@ func (self *RawRegFileSystemAccessor) getRegHive(
 	}
 	cache_key := base_pathspec.String()
 
-	self.mu.Lock()
-	defer self.mu.Unlock()
+	hive_cache := getRegHiveCache(scope)
+	reg, pres := hive_cache.Get(cache_key)
+	if pres {
+		return reg, nil
+	}
 
 	lru_size := vql_subsystem.GetIntFromRow(
-		self.scope, self.scope, constants.RAW_REG_CACHE_SIZE)
-	hive, pres := self.hive_cache[cache_key]
-	if !pres {
-		delegate, err := file_path.Delegate(self.scope)
-		if err != nil {
-			return nil, err
-		}
+		scope, scope, constants.RAW_REG_CACHE_SIZE)
 
-		paged_reader, err := readers.NewPagedReader(
-			self.scope, pathspec.DelegateAccessor, delegate, int(lru_size))
-		if err != nil {
-			self.scope.Log("%v: did you provide a URL or Pathspec?", err)
-			return nil, err
-		}
+	delegate, err := file_path.Delegate(scope)
+	if err != nil {
+		return nil, err
+	}
 
-		// Make sure we can read the header so we can propagate errors
-		// properly.
-		header := make([]byte, 4)
-		_, err = paged_reader.ReadAt(header, 0)
-		if err != nil {
-			paged_reader.Close()
-			return nil, err
-		}
+	paged_reader, err := readers.NewPagedReader(
+		scope, pathspec.DelegateAccessor, delegate, int(lru_size))
+	if err != nil {
+		scope.Log("%v: did you provide a URL or Pathspec?", err)
+		return nil, err
+	}
 
-		hive, err = regparser.NewRegistry(paged_reader)
-		if err != nil {
-			paged_reader.Close()
-			return nil, err
-		}
+	// Make sure we can read the header so we can propagate errors
+	// properly.
+	header := make([]byte, 4)
+	_, err = paged_reader.ReadAt(header, 0)
+	if err != nil {
+		paged_reader.Close()
+		return nil, err
+	}
 
-		self.hive_cache[cache_key] = hive
+	hive, err := regparser.NewRegistry(paged_reader)
+	if err != nil {
+		paged_reader.Close()
+		return nil, err
 	}
 
+	hive_cache.Set(cache_key, hive)
+
 	return hive, nil
 }
 
@@ -244,29 +279,9 @@ const RawRegFileSystemTag = "_RawReg"
 func (self *RawRegFileSystemAccessor) New(scope vfilter.Scope) (
 	accessors.FileSystemAccessor, error) {
 
-	result_any := vql_subsystem.CacheGet(scope, RawRegFileSystemTag)
-	if result_any == nil {
-		result := &RawRegFileSystemAccessor{
-			hive_cache: make(map[string]*regparser.Registry),
-			scope:      scope,
-			root:       self.root,
-		}
-		vql_subsystem.CacheSet(scope, RawRegFileSystemTag, result)
-		return result, nil
-	}
-
-	cached, ok := result_any.(*RawRegFileSystemAccessor)
-	if !ok {
-		return nil, errors.New("Cached RawRegFileSystemAccessor invalid")
-	}
-
-	cached.mu.Lock()
-	defer cached.mu.Unlock()
-
 	return &RawRegFileSystemAccessor{
-		hive_cache: cached.hive_cache,
-		scope:      scope,
-		root:       cached.root,
+		scope: scope,
+		root:  self.root,
 	}, nil
 }
 
@@ -295,7 +310,7 @@ func (self *RawRegFileSystemAccessor) ReadDirWithOSPath(
 	[]accessors.FileInfo, error) {
 
 	var result []accessors.FileInfo
-	hive, err := self.getRegHive(full_path)
+	hive, err := getRegHive(self.scope, full_path)
 	if err != nil {
 		return nil, err
 	}

diff --git a/artifacts/definitions/Linux/Ssh/PrivateKeys.yaml b/artifacts/definitions/Linux/Ssh/PrivateKeys.yaml
@@ -61,23 +61,23 @@ sources:
       // Only search local filesystems
       LET RecursionCallback = "x=>x.Data.DevMajor IN LocalDeviceMajor"
 
-      LET _Hits = SELECT FullPath,
-           read_file(filename=FullPath, length=20240) AS Data
+      LET _Hits = SELECT OSPath,
+           read_file(filename=OSPath, length=20240) AS Data
         FROM glob(globs=KeyGlobs, recursion_callback=RecursionCallback)
         WHERE Size < 20000
 
-      LET Hits = SELECT FullPath, Data,
+      LET Hits = SELECT OSPath, Data,
              base64decode(
                 string=parse_string_with_regex(
                     string=Data,
-                    regex="(?sm)KEY-----(.+)-----END").g1) AS Decoded,
+                    regex="(?sm)KEY-----(.+)-----END").g1) || "" AS Decoded,
             parse_string_with_regex(
                string=Data,
                regex="(BEGIN.* PRIVATE KEY)").g1 AS Header
       FROM _Hits
       WHERE Header
 
-      LET OpenSSHKeyParser(FullPath, Decoded) = SELECT FullPath,
+      LET OpenSSHKeyParser(OSPath, Decoded) = SELECT OSPath,
          parse_binary(accessor="data", filename=Decoded,
                       profile=SSHProfile, struct="Header") AS Parsed
          FROM scope()
@@ -88,16 +88,16 @@ sources:
         SELECT * FROM switch(
           a={
              -- new format
-             SELECT FullPath,
+             SELECT OSPath,
                     Parsed.Magic AS KeyType,
                     Parsed.cipher AS Cipher,
                     Header
-             FROM OpenSSHKeyParser(FullPath=FullPath, Decoded=Decoded)
+             FROM OpenSSHKeyParser(OSPath= OSPath, Decoded=Decoded)
              WHERE Header =~ "BEGIN OPENSSH PRIVATE KEY"
           },
           a2={
              -- encrypted rsa key from e.g. putty
-             SELECT FullPath,
+             SELECT OSPath,
                     "PKCS8" AS KeyType,
                     parse_string_with_regex(string=Data,
                       regex="DEK-Info: ([-a-zA-Z0-9]+)").g1 AS Cipher,
@@ -108,7 +108,7 @@ sources:
           },
           b={
              -- unencrypted rsa key from e.g. AWS
-             SELECT FullPath,
+             SELECT OSPath,
                     "PKCS8" AS KeyType,
                     "none" AS Cipher,
                     Header
@@ -117,7 +117,7 @@ sources:
           },
           c={
              -- old format encrypted
-             SELECT FullPath,
+             SELECT OSPath,
                     "PKCS8" AS KeyType,
                     "PKCS#5" AS Cipher,
                     Header
@@ -126,7 +126,7 @@ sources:
           },
           d={
              -- catch all for unknown keys
-             SELECT FullPath,
+             SELECT OSPath,
                     "Unknown" AS KeyType,
                     "Unknown" AS Cipher,
                     Header