Added stand alone GUI command. (Velocidex#580)

* Added stand alone GUI command.

Now running:

```
velociraptor.exe gui
```

Will do everything automatigally - create a new config, and open the
browser to the welcome page.

api/reports.go

@@ -1,6 +1,7 @@
 package api
 
 import (
+	"fmt"
 	"strings"
 
 	errors "github.com/pkg/errors"
@@ -41,9 +42,22 @@ func getReport(ctx context.Context,
 
 	var template_data string
 
+	if in.Type == "" {
+		definition, pres := repository.Get("Custom." + in.Artifact)
+		if !pres {
+			definition, pres = repository.Get(in.Artifact)
+			if pres {
+				for _, report := range definition.Reports {
+					in.Type = strings.ToUpper(report.Type)
+				}
+			}
+		}
+	}
+
 	switch in.Type {
 	default:
-		return nil, errors.New("Report type not supported")
+		return nil, errors.New(fmt.Sprintf(
+			"Report type %v not supported", in.Type))
 
 	// A CLIENT artifact report is a specific artifact
 	// collected from a client.

artifacts/definitions/Generic/Utils/FetchBinary.yaml

@@ -40,13 +40,15 @@ sources:
         // Try to get info from the ToolInfo parameter.
         a={SELECT get(field="Tool_" + ToolName + "_HASH", item=ToolInfo) AS ToolHash,
                   get(field="Tool_" + ToolName + "_FILENAME", item=ToolInfo) AS ToolFilename,
-                  get(field="Tool_" + ToolName + "_URL", item=ToolInfo) AS ToolURL
+                  get(field="Tool_" + ToolName + "_URL", item=ToolInfo) AS ToolURL,
+                  get(field="Tool_" + ToolName + "_PATH", item=ToolInfo) AS ToolPath
            FROM scope()  WHERE ToolFilename},
 
         // Failing this - get it from the scope()
         b={SELECT get(field="Tool_" + ToolName + "_HASH", item=scope()) AS ToolHash,
                   get(field="Tool_" + ToolName + "_FILENAME", item=scope()) AS ToolFilename,
-                  get(field="Tool_" + ToolName + "_URL", item=scope()) AS ToolURL
+                  get(field="Tool_" + ToolName + "_URL", item=scope()) AS ToolURL,
+                  get(field="Tool_" + ToolName + "_PATH", item=ToolInfo) AS ToolPath
            FROM scope()  WHERE ToolFilename},
 
         // Failing this - try to get it from the inventory service directly.
@@ -64,7 +66,18 @@ sources:
         )
 
       // Where we should save the file.
-      LET ToolPath <= SELECT path_join(components=[(binpath[0]).Path, (args[0]).ToolFilename]) AS Path FROM scope()
+      LET ToolPath <= SELECT path_join(components=[
+           (binpath[0]).Path, (args[0]).ToolFilename]) AS Path FROM scope()
+
+      // Support tools locally served from disk
+      LET local_file =
+          SELECT hash(path=(args[0]).ToolPath) as Hash,
+                 (args[0]).ToolFilename AS Name,
+                 "Downloaded" AS DownloadStatus,
+                 (args[0]).ToolPath AS FullPath
+          FROM scope()
+          WHERE (args[0]).ToolPath AND
+                log(message="File served from " + (args[0]).ToolPath)
 
       // Download the file from the binary URL and store in the local
       // binary cache.
@@ -101,12 +114,13 @@ sources:
       // have to download the file we sleep for a random time to
       // stagger server bandwidth load.
       SELECT * FROM switch(
-        a=existing,
-        b={
+        a=local_file,
+        b=existing,
+        c={
            SELECT rand(range=atoi(string=SleepDuration)) AS timeout
            FROM scope()
            WHERE args AND (args[0]).ToolURL AND
               log(message=format(format='Sleeping %v Seconds',
                  args=[timeout])) AND sleep(time=timeout) AND FALSE
         },
-        c=download)
+        d=download)

artifacts/definitions/Server/Internal/Welcome.yaml

@@ -0,0 +1,17 @@
+name: Server.Internal.Welcome
+
+reports:
+  - type: CLIENT
+    template: |
+      <div class="row dashboard ">
+      <div class="card col-10">
+      <img src="https://www.velocidex.com/images/logos/logo.svg" class="card-img-top">
+      <div class="card-body">
+
+      # Welcome to Velociraptor!
+
+      ## Common tasks:
+
+      * <a href="/app.html#/server_artifacts">Building an Offline Collector</a>
+
+      </div></div></div>

artifacts/proto/artifact.proto

@@ -247,6 +247,9 @@ message Tool {
     // the url above.
     string serve_url = 8;
 
+    // Only valid for local dummy inventory.
+    string serve_path = 12;
+
     // A filestore path where the file can be downloaded from - if
     // served locally.
     string filestore_path = 4;

artifacts/testdata/server/testcases/binary_blobs.out.yaml

@@ -7,22 +7,23 @@ SELECT * FROM switch( b={SELECT Complete FROM execve(argv=["rm", "-f", "/tmp/aut
   "inventory_add(tool=\"WinPmem\", url=\"https://storage.googleapis.com/go.velocidex.com/winpmem_v3.3.rc3.exe\", filename=\"winpmem_v3.3.rc3.exe\")": {
    "name": "WinPmem",
    "url": "https://storage.googleapis.com/go.velocidex.com/winpmem_v3.3.rc3.exe",
-   "filename": "winpmem_v3.3.rc3.exe",
-   "admin_override": true
+   "admin_override": true,
+   "filename": "winpmem_v3.3.rc3.exe"
   }
  }
 ]SELECT * FROM inventory() WHERE name =~ "WinPmem"[
  {
   "name": "WinPmem",
   "url": "https://storage.googleapis.com/go.velocidex.com/winpmem_v3.3.rc3.exe",
-  "serve_url": "",
   "github_project": "",
   "github_asset_regex": "",
   "serve_locally": false,
+  "admin_override": true,
+  "serve_url": "",
+  "serve_path": "",
   "filestore_path": "351b4f6d59a4266cc7a2eab9cedf959eb6a4c924746044e6edeabdd1a477643e",
   "filename": "winpmem_v3.3.rc3.exe",
   "hash": "",
-  "admin_override": true,
   "materialize": false
  }
 ]LET ToolInfo <= dict( Tool_WinPmem_URL="https://github.com/Velocidex/c-aff4/releases/download/v3.3.rc3/winpmem_v3.3.rc3.exe", Tool_WinPmem_FILENAME="winpmem_v3.3.rc3.exe", Tool_WinPmem_HASH="319f6c714d682505157cf72aa928c94ada3c839fb8eb0e503d8770624e897318")[]SELECT DownloadStatus, Hash FROM Artifact.Generic.Utils.FetchBinary( ToolName="WinPmem", SleepDuration=0, ToolInfo=ToolInfo)[

artifacts/testdata/server/testcases/tools.out.yaml

@@ -3,9 +3,9 @@ SELECT inventory_add(tool='Autorun_amd64', url='https://storage.googleapis.com/g
   "inventory_add(tool='Autorun_amd64', url='https://storage.googleapis.com/go.velocidex.com/autorunsc.exe', hash='083d7eee4ed40a3e5a35675503b0b6be0cb627b4cb1009d185a558a805f64153', filename='autorunsc_x64.exe')": {
    "name": "Autorun_amd64",
    "url": "https://storage.googleapis.com/go.velocidex.com/autorunsc.exe",
+   "admin_override": true,
    "filename": "autorunsc_x64.exe",
-   "hash": "083d7eee4ed40a3e5a35675503b0b6be0cb627b4cb1009d185a558a805f64153",
-   "admin_override": true
+   "hash": "083d7eee4ed40a3e5a35675503b0b6be0cb627b4cb1009d185a558a805f64153"
   }
  }
 ]SELECT inventory_get(tool='Autorun_amd64') FROM scope()[
@@ -22,9 +22,9 @@ SELECT inventory_add(tool='Autorun_amd64', url='https://storage.googleapis.com/g
    "name": "Autorun_amd64",
    "url": "https://storage.googleapis.com/go.velocidex.com/autorunsc.exe",
    "serve_locally": true,
+   "admin_override": true,
    "filename": "autorunsc_x64.exe",
-   "hash": "083d7eee4ed40a3e5a35675503b0b6be0cb627b4cb1009d185a558a805f64153",
-   "admin_override": true
+   "hash": "083d7eee4ed40a3e5a35675503b0b6be0cb627b4cb1009d185a558a805f64153"
   }
  }
 ]SELECT inventory_get(tool='Autorun_amd64') FROM scope()[
@@ -40,10 +40,10 @@ SELECT inventory_add(tool='Autorun_amd64', url='https://storage.googleapis.com/g
   "inventory_add(tool=\"FooBar\", file=srcDir + \"/artifacts/testdata/files/yara_test.txt\")": {
    "name": "FooBar",
    "serve_locally": true,
+   "admin_override": true,
    "filestore_path": "1c21ee4d8609f81482dc0a78c641e4586488a9fd562ee28eec25e448a9d0b2e1",
    "filename": "yara_test.txt",
-   "hash": "f03278c10a41adcc97f24a612a680e7aa43efb461b337fef3d2a3d47b51e77bb",
-   "admin_override": true
+   "hash": "f03278c10a41adcc97f24a612a680e7aa43efb461b337fef3d2a3d47b51e77bb"
   }
  }
 ]SELECT inventory_get(tool="FooBar") FROM scope()[

artifacts/testdata/windows/autoexec.out.yaml

@@ -3,9 +3,9 @@ SELECT inventory_add(tool='Autorun_amd64', url='https://storage.googleapis.com/g
   "inventory_add(tool='Autorun_amd64', url='https://storage.googleapis.com/go.velocidex.com/autorunsc.exe', hash='083d7eee4ed40a3e5a35675503b0b6be0cb627b4cb1009d185a558a805f64153', filename='autorunsc_x64.exe')": {
    "name": "Autorun_amd64",
    "url": "https://storage.googleapis.com/go.velocidex.com/autorunsc.exe",
+   "admin_override": true,
    "filename": "autorunsc_x64.exe",
-   "hash": "083d7eee4ed40a3e5a35675503b0b6be0cb627b4cb1009d185a558a805f64153",
-   "admin_override": true
+   "hash": "083d7eee4ed40a3e5a35675503b0b6be0cb627b4cb1009d185a558a805f64153"
   }
  }
 ]SELECT * FROM  Artifact.Windows.Sysinternals.Autoruns( AutorunArgs='-nobanner -accepteula -a b -c *', ToolInfo=inventory_get(tool='Autorun_amd64')) WHERE Company =~ 'Microsoft'[

bin/artifacts.go

@@ -150,6 +150,7 @@ func doArtifactCollect() {
 	kingpin.FatalIfError(err, "Load Config ")
 
 	sm, err := startEssentialServices(config_obj)
+	kingpin.FatalIfError(err, "Load Config ")
 	defer sm.Close()
 
 	collect_args := ordereddict.NewDict()

bin/browser.go

@@ -0,0 +1,68 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package browser provides utilities for interacting with users' browsers.
+// Comes from https://raw.githubusercontent.com/golang/go/master/src/cmd/internal/browser/browser.go
+package main
+
+import (
+	"os"
+	"os/exec"
+	"runtime"
+	"time"
+)
+
+// Commands returns a list of possible commands to use to open a url.
+func Commands() [][]string {
+	var cmds [][]string
+	if exe := os.Getenv("BROWSER"); exe != "" {
+		cmds = append(cmds, []string{exe})
+	}
+	switch runtime.GOOS {
+	case "darwin":
+		cmds = append(cmds, []string{"/usr/bin/open"})
+	case "windows":
+		cmds = append(cmds, []string{"cmd", "/c", "start"})
+	default:
+		if os.Getenv("DISPLAY") != "" {
+			// xdg-open is only for use in a desktop environment.
+			cmds = append(cmds, []string{"xdg-open"})
+		}
+	}
+	cmds = append(cmds,
+		[]string{"chrome"},
+		[]string{"google-chrome"},
+		[]string{"chromium"},
+		[]string{"firefox"},
+	)
+	return cmds
+}
+
+// Open tries to open url in a browser and reports whether it succeeded.
+func OpenBrowser(url string) bool {
+	for _, args := range Commands() {
+		cmd := exec.Command(args[0], append(args[1:], url)...)
+		if cmd.Start() == nil && appearsSuccessful(cmd, 3*time.Second) {
+			return true
+		}
+	}
+	return false
+}
+
+// appearsSuccessful reports whether the command appears to have run successfully.
+// If the command runs longer than the timeout, it's deemed successful.
+// If the command runs within the timeout, it's deemed successful if it exited cleanly.
+func appearsSuccessful(cmd *exec.Cmd, timeout time.Duration) bool {
+	errc := make(chan error, 1)
+	go func() {
+		errc <- cmd.Wait()
+	}()
+
+	select {
+	case <-time.After(timeout):
+		return true
+	case err := <-errc:
+		return err == nil
+	}
+}

bin/client.go

@@ -26,6 +26,7 @@ import (
 	"www.velocidex.com/golang/velociraptor/executor"
 	"www.velocidex.com/golang/velociraptor/http_comms"
 	logging "www.velocidex.com/golang/velociraptor/logging"
+	"www.velocidex.com/golang/velociraptor/services"
 	"www.velocidex.com/golang/velociraptor/utils"
 )
 
@@ -94,7 +95,15 @@ func RunClient(
 	// Wait for the comms to properly start before we begin the
 	// services. If services need to communicate with the server
 	// they will deadlock otherwise.
-	executor.StartServices(ctx, wg, config_obj, manager.ClientId, exe)
+	sm := services.NewServiceManager(ctx, config_obj)
+	defer sm.Close()
+
+	err = executor.StartServices(sm, manager.ClientId, exe)
+	if err != nil {
+		return
+	}
+
+	wg.Wait()
 }
 
 func init() {
@@ -106,8 +115,6 @@ func init() {
 
 			RunClient(ctx, wg, config_path)
 
-			wg.Wait()
-
 			return true
 		}
 		return false