diff --git a/.gitignore b/.gitignore index b4e7c15346f..610701cd6d6 100755 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ xml node_modules/ package-lock.json __debug_bin +bin/rsrc.syso \ No newline at end of file diff --git a/Makefile b/Makefile index b2c53daf26d..62dbe49e2eb 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,9 @@ release: windows: go run make.go -v windowsDev +windowsx86: + go run make.go -v windowsx86 + clean: go run make.go -v clean diff --git a/appveyor.yml b/appveyor.yml index 75d1692d040..d9a857179a0 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -7,6 +7,7 @@ environment: GOPATH: c:\gopath PATH: C:\msys64\mingw64\bin;%GOPATH%\bin;%PATH% VELOCIRAPTOR_CONFIG: artifacts\testdata\windows\appveyor.config.yaml + GOPROXY: https://proxy.golang.org cache: - '%LocalAppData%\go-build -> .appveyor_cache_clear' diff --git a/artifacts/assets/ab0x.go b/artifacts/assets/ab0x.go index 889efb2cebb..cf33a6889c4 100644 --- a/artifacts/assets/ab0x.go +++ b/artifacts/assets/ab0x.go @@ -1,5 +1,5 @@ -// Code generated by fileb0x at "2019-10-25 18:05:12.045889348 +1000 AEST m=+0.274984427" from config file "b0x.yaml" DO NOT EDIT. -// modification hash(1a339eb5c899f4d178f8086bc6dac75d.57a51d2c6575595a5e61a0db12c9b9e7) +// Code generated by fileb0x at "2019-10-29 08:27:22.937265572 +1000 AEST m=+0.166190303" from config file "b0x.yaml" DO NOT EDIT. +// modification hash(61eeb29c0b78c15575aab14c9d7d960b.57a51d2c6575595a5e61a0db12c9b9e7) package assets @@ -245,7 +245,7 @@ var FileArtifactsDefinitionsWindowsEventLogsAlternateLogonYaml = []byte("\x1f\x8 var FileArtifactsDefinitionsWindowsEventLogsDHCPYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x58\x6f\x6f\xdb\xb6\x13\x7e\xaf\x4f\x71\x48\x7e\x45\x9d\xfe\x1c\x21\xcd\x8a\xbd\x30\xa0\x17\x99\xe3\xb6\x06\xd2\x25\x4b\xdc\x05\xc3\x32\xa4\xb4\x74\xb2\xb8\x52\xa4\x4a\x52\x76\x8c\xa6\xdf\x7d\xb8\xd3\x7f\x27\x1b\xda\xbe\xe8\x50\x60\x42\x81\xb8\x16\xef\xe1\xdd\x73\x77\xe4\x3d\xd6\x22\xc7\x09\x5c\x4b\x9d\x98\x8d\x0b\x67\x6b\xd4\xfe\xcc\xac\x5c\x78\xfa\x7a\x7a\x11\x24\xe8\x62\x2b\x0b\x2f\x8d\x9e\xc0\x7d\x10\x00\x2c\x32\xe9\x40\x58\x2f\x53\x11\x7b\x28\x84\x75\xe8\xc0\x67\x08\x9b\x0a\x01\x92\x2c\x2e\x00\x09\x06\x94\x59\x81\x32\xe6\xbd\xd4\x2b\x48\x8d\x05\x5c\xcb\x04\x75\x8c\x01\x80\x49\x61\x7e\x01\x22\x49\x2c\x3a\x07\xc2\x39\xb9\xd2\x39\x6a\xef\x42\xda\x64\xae\xc1\x99\x1c\x41\xea\x35\x3a\x2f\x57\x82\x1c\x70\x20\x3d\x48\x07\x32\x2f\x8c\xf5\x42\x7b\xf0\x06\x96\x08\x62\xa9\x90\x3e\x12\xb6\x97\xe9\x96\xbc\x09\x00\x72\x11\x67\x52\x23\x6c\x32\x19\x67\xb0\x11\xcd\x2e\x98\x80\x20\xbf\xbd\x8c\x4b\x25\xec\xc0\x0d\x4f\xaf\x8c\xd4\x1e\xa4\x0e\x00\xbc\xcc\x31\x84\xb7\xae\x14\x4a\x31\xac\x43\x8a\x89\xe2\x47\x10\x6b\x21\x15\xef\x9d\x5a\x93\x33\x05\x44\x19\x38\xb4\x6b\xb4\x63\x58\x96\x35\x4a\x2e\xf4\x16\x62\xd1\xf0\x54\xbd\xef\x70\xb4\xf1\x3d\xac\x11\xf3\x74\x27\xf2\x42\xe1\x18\x64\x5a\x07\x83\x3a\xa9\xfc\xa2\x38\xd6\xd2\x49\x4f\x9c\x0a\x48\x64\x9a\xa2\x25\xae\x35\xfa\x8d\xb1\xef\xc1\xd8\x5d\x57\x88\x33\xa3\x41\x04\x00\x1b\x69\x51\x51\xa4\xd6\x94\x1e\x2d\x6c\xa4\xcf\x40\x1b\x4e\x94\x45\x4f\xfc\x19\x7d\xc0\x29\x38\xd7\x4d\x46\xc7\x04\x48\x01\x5b\x04\xbf\x31\xe0\xb7\x05\x3a\x4a\x20\x85\x30\xa1\xb5\x00\xcf\x43\x58\x64\x08\xa9\xb4\xce\xf3\x02\xda\x94\xfc\x10\x49\x2e\x35\xad\xe4\x65\x00\x30\x7a\xf7\x46\xc6\xd6\x38\x93\xfa\xc3\xba\xe8\x0e\x4f\xb3\xb8\x38\x9c\x2a\x89\xda\x3f\x79\x71\x42\x16\x21\xae\xfd\xbb\x03\x06\x75\x08\x46\xab\x2d\xc4\x46\x7b\xc1\x84\xf2\x83\xd6\x1a\xeb\xc0\x95\x71\x06\x94\x5b\xdd\x71\xe4\xed\x96\xd8\xf1\x86\x6d\xa4\x2e\x11\xa4\x77\xa0\x50\x38\xe4\xbc\x34\x18\xe4\x20\x7f\x4b\xde\x5a\xfc\x13\x63\x8f\x09\x2c\xb7\xbd\x3c\x85\x55\x7c\xc7\x55\x7c\xa6\x40\xcb\xb5\x28\xd4\x17\xc5\x74\xde\xd9\x51\x64\x77\xef\x0e\x9a\x70\x5c\xdf\x97\xb4\x54\x8c\x4b\xe4\xa2\x88\xb3\xca\xb9\x10\xde\xea\xd4\x58\x5f\x6a\xe1\x91\xeb\x50\x3a\x5e\x25\x1d\x24\xd2\x51\xd9\x24\x0d\xca\x72\x0b\x09\xa6\xa2\x54\x3e\x84\x79\x5a\x37\x4c\x57\x5d\x1b\x84\x58\x68\xb0\x04\x63\x34\xef\x29\x09\x3b\x67\xe7\xc2\x20\x28\x84\x15\x39\x7a\xb4\x6e\x12\x00\x1c\x42\x75\x38\x70\x37\x9f\x4a\xfb\x4a\x99\x25\xef\x54\xef\x31\x81\xe9\xe4\xa6\x0e\xf8\xc6\x6d\x9d\xc7\xfc\x87\xe3\x9b\x8d\xd4\xb8\xf6\x37\x54\x1d\x37\x3d\x10\xae\x84\xb3\x9a\xb4\x16\xe0\x73\x8b\xe1\x2e\xe8\x41\xf5\xd2\xf0\xa5\x80\xbb\x99\xe8\xc3\x8a\x38\x46\xe7\x8c\x1d\x02\xa6\x52\x61\x10\x38\x53\xda\x18\x07\xac\x5c\xd6\x05\xc3\x07\x25\x99\x7c\x28\xd1\xca\x6a\x0d\x3d\x87\x70\xdf\xa4\x05\xce\x66\x0b\x06\x72\x10\xc1\xd5\xec\x6c\x36\x5d\xc0\x33\x78\x79\x79\xfe\x06\x56\xca\x2c\x47\xed\x3a\x7a\xe8\x1b\x17\xf5\x39\x87\xff\xb7\xec\x8d\x07\x4b\x1b\x8f\xa3\xe6\xc3\xc1\x23\x7b\xd7\xfb\x2d\x64\x8e\x70\x72\x05\xb7\xf4\x61\x08\x03\xd5\x51\xe7\xbc\xc8\x8b\x11\x16\x26\xce\x22\x5a\x74\x00\x27\x8e\xcd\xf8\xc5\x03\x93\xa9\xc9\x0b\x3a\x45\xc6\xf0\xe6\x64\x3a\x86\x8a\xe1\xf9\xc5\x98\xcf\x9e\xab\xfa\x14\x5c\xd0\x59\xc0\x81\xa6\xc6\x52\x4d\x0f\x62\xb5\x66\x13\x31\x2d\x03\x70\xe2\x71\x1b\x7d\xdc\xd9\xaf\x0e\xe3\x8a\xcb\x2c\x24\xb7\xa6\x16\x85\xc7\x24\xac\xbe\xe2\xf8\x44\xe5\xf0\x03\x5f\x6b\x88\xca\xb6\x71\x9c\xd8\x68\x83\x78\xdc\xa2\xea\x8d\x51\xf5\x27\xda\x7b\x72\x37\x19\xfe\xdb\x1b\x83\xb0\x2b\x17\xfd\xce\xf7\xe6\xa9\xf0\x22\x7c\x7d\x7d\x52\x5d\x27\x7f\x1c\xd0\x06\xc4\xcd\xe3\xd8\xb2\x18\x69\xf4\x74\xf7\xbc\xb8\x55\x18\x75\x08\xb5\xfd\x73\xb6\x6f\x69\xfd\x3a\x90\x63\x06\xe9\x65\xe4\x71\x98\xbd\x33\x3e\x06\x9b\x92\xde\x23\x23\x4a\xdd\xce\x6a\x4e\x24\xdf\xf9\xb7\xd4\x3c\x23\xca\x1d\x35\x43\xf4\xb2\x54\xea\x42\xf8\x6c\xfc\xf7\x25\xd9\x3c\xd7\xaf\x67\x97\xb3\x26\x15\xec\xef\xfc\x34\xfc\x55\xa8\x12\x21\x82\xe7\x47\x47\xc7\xfd\xf5\x9f\x0e\xfa\x0d\x7a\x52\x5f\xe0\xdf\xa4\xe3\x86\x87\xcc\x7f\x7d\xf7\x4d\xfb\xae\xab\xe3\xb9\xf6\x68\x53\x11\xe3\xab\x52\x26\xdf\x5d\x43\x35\x15\xfb\xaf\x35\xd4\x8f\x47\x47\x47\x47\xbb\x1d\x15\x58\xa4\x11\xba\xbe\xcd\x68\x5c\x9b\xc0\xf4\x6c\x3e\xfb\x79\xc1\x2b\x3d\xe6\x85\x12\x1e\x27\x6d\x31\xcf\xea\xc1\x9d\x06\x13\x9e\x2c\xdb\x51\xba\x9b\x9e\xb1\x19\x65\xa2\xcf\x7a\x82\x7a\xf5\xc7\x8f\x10\x9e\x76\x2a\x03\x3e\x7d\xea\xbd\x49\x30\xa5\x11\x7e\xaf\xd9\xee\x96\xc4\xc5\x1e\xad\x19\x94\x57\x55\xa1\x5d\x5f\xfc\x63\x8a\x63\x53\x6a\x3f\x92\x1e\x73\x17\xb5\x4d\xc6\x49\x5d\x18\x2f\xd4\xa3\x36\xa8\xcb\x9c\x4e\x03\x7c\xdc\x8e\xfe\x17\x3c\x48\x6b\x35\x32\x8c\xaa\x3f\xd1\xd3\xfe\xe1\xf5\x74\x98\xc3\x57\x97\xe7\x6f\x2f\xe0\xa7\xdf\x5a\xc7\x3b\x06\x50\x27\x5d\xb8\x3d\x46\x9a\x69\xf5\x7b\x66\xa4\x3f\x40\x7d\x31\x23\xdd\x17\xff\x6b\x8b\x71\x12\xc1\x2f\x74\x86\xed\x16\x4c\x9f\x40\x99\xf6\x0c\xda\x17\xfb\xfb\x70\x3e\x9c\xed\x5d\xb3\x03\x0b\xde\x46\x4c\x66\xc2\x55\x0d\xb0\xa3\x04\x56\x24\x38\x50\xf3\x2c\x1e\xc2\x35\x56\x92\x89\x8e\xde\x1a\x85\xc6\x6e\x87\x08\xb1\x21\x65\xe7\x11\x2c\xb2\x70\x8b\x49\x15\x1a\x10\x4a\xc1\xca\x0a\x4d\xfa\x83\x87\xfe\xf6\x4e\x63\xa7\x17\x3c\xbd\x0f\xfc\xee\x1c\x27\xb2\x95\xd4\xd8\xa3\xa4\x66\xa1\x2e\x03\xbe\x79\xe0\x19\x5d\xae\x47\x5d\x29\x7c\x46\x91\xee\xc1\x7d\x8b\x3e\xe4\x7c\x98\x84\xfd\x7d\x38\x69\x74\x5e\x8f\xb7\x9e\xfa\x73\xe0\x32\xb3\x69\x44\x1b\xcb\x4e\xa6\xb1\x52\x5f\x16\x3f\x94\xe8\xbc\x0b\xe9\x88\x94\x31\xa9\xed\x1a\xa4\x15\x65\x15\x29\x20\x75\x22\x63\xe1\x89\x5f\xe1\x59\xbf\xb4\x99\x41\x45\xc2\x9e\xd6\x79\x96\xbb\xd0\x16\x4d\x23\xef\x65\xa5\x78\x0a\xe1\x7c\x25\xcf\x2b\x25\xd5\x08\x40\xa9\xd7\x42\xc9\x84\x7f\xa9\x20\xbd\x18\x97\x96\x94\x75\xd0\x14\xfc\x5a\x5a\xc3\xbf\x51\x84\xf0\xb2\x2f\xd2\x07\x5e\x08\x07\x4b\x44\x0d\xb9\x59\x63\xc2\x99\xad\xed\x1f\x28\xf5\xf0\x61\xbe\x76\x9a\xfa\xbe\xce\xfb\x80\xf9\xaf\x4e\xed\xb0\xdb\x76\x53\xfb\x57\x00\x00\x00\xff\xff\xb3\x04\xf7\x1d\x06\x12\x00\x00") // FileArtifactsDefinitionsWindowsEventLogsKerbroastingYaml is "artifacts/definitions/Windows/EventLogs/Kerbroasting.yaml" -var FileArtifactsDefinitionsWindowsEventLogsKerbroastingYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xa4\x57\xdd\x6e\xdb\xca\x11\xbe\xe7\x53\x0c\x04\xb7\x91\xd4\x98\x72\x9c\xb4\x49\x05\x10\x88\x20\x2b\xa9\x11\xc7\x71\x2d\xb5\xb9\xa8\x8a\x60\x45\x0e\xa9\x85\x97\xbb\xcc\xee\x50\xb2\x10\xbb\xcf\x5e\xcc\x92\x94\x48\xdb\x71\x0e\xce\xe1\x8d\x97\xc3\xf9\x9f\xf9\xbe\x95\xb5\xc8\x71\x0c\x5f\xa5\x4e\xcc\xd6\x85\xb3\x0d\x6a\xba\x30\x99\x0b\x3f\xa1\x5d\x59\x23\x1c\x49\x9d\x05\x09\xba\xd8\xca\x82\xa4\xd1\x63\xb8\x0b\x02\x80\xc5\x5a\x3a\x98\x58\x92\xa9\x88\x09\xb6\x52\x29\xb0\x48\xa5\xd5\x20\x94\x02\x57\xc6\x31\x3a\x97\x96\x0a\xd8\x0f\x5a\xe3\x60\xf1\x71\x0e\x0b\x19\xdf\x20\x01\x72\x14\x07\xa9\xb1\x01\xc0\x1c\xed\x46\xc6\x08\x93\x38\x36\x25\x8b\xfb\xf3\xab\x4b\x10\x44\x56\xae\x4a\xc2\x01\xc8\xbc\x50\x98\xa3\x26\x4c\x60\x2b\x69\x0d\x5b\x14\x37\x80\x3a\xb6\x3b\x9f\x51\x08\x8b\x35\x3a\x0c\x00\xc8\xbb\x77\x20\x2c\xc2\xa6\x54\x1a\xad\x58\x29\x04\x32\xb0\xb2\x25\x21\x07\x8c\x91\x5d\x8b\xf8\x06\x84\x4e\x80\xb8\x0a\x9f\x0d\x48\x07\x42\x83\xd4\x89\x8c\x05\xf9\xc4\x4c\x0a\x02\xda\x6d\xa8\x2d\x43\xae\x7f\x38\x9c\x2c\x16\x7f\x9e\x7e\x1a\x0e\xc7\xf0\x9f\xc5\xab\xd3\x93\x77\x70\xdc\x51\xfe\x6f\x7f\x4d\x54\xb8\xf1\x68\x54\x5b\xe5\x92\x2c\x86\xc6\x66\x23\xc2\x78\xad\xe5\xf7\x12\xdd\xc8\x5b\x8e\x06\xdc\xd0\x5d\x21\x63\xa1\xea\x18\x68\x21\x47\x5a\x9b\xc4\x28\x93\xed\x38\x39\x32\x90\x4a\xeb\x48\xed\xc0\x22\xdb\x12\x88\xa6\x63\x52\x03\xad\x11\x12\x93\x0b\xa9\x03\xa8\xba\xd4\xe9\xa2\x7b\xc9\x1a\xfa\x60\xca\xa5\x3a\x8c\x4b\x8b\x7e\x30\x55\xe7\xb8\x41\xad\x56\x49\x9d\x85\xcd\xa8\xeb\xa6\x49\x07\x85\xb0\x24\xe3\x52\x09\xab\x76\x80\x69\x8a\x31\xc9\x0d\x82\xe0\xfe\xed\xea\x1c\x20\xb6\x98\xa0\x26\x29\x94\x83\x58\x68\x58\x21\x94\x0e\x13\x9e\x91\x39\x0c\xd4\x67\xdd\x1a\x87\xab\x57\x61\x5f\x98\x49\x09\x35\xac\xc5\x06\x01\x15\x6e\x04\xaf\x40\x61\xe5\x46\x2a\xcc\xd0\x71\x72\x9d\xf9\xb4\x22\xf9\x52\xf6\xaa\x80\x2e\x16\x4a\xf0\xb6\x00\xcb\xd1\x3a\xe9\x08\x75\x8c\xb0\xda\x81\x48\x12\x3f\x5d\x5e\xc6\x76\xd3\x38\x57\xa1\xa1\xd4\x78\x5b\x60\xcc\xb1\xeb\xc4\xea\x0d\xb8\xc6\x14\x2d\x3b\xa9\x96\x60\x8d\x0c\x08\x5e\x9b\x33\x24\xee\x8a\xce\x9a\xed\x17\x8e\x60\xe2\xeb\x74\x87\xbd\xd8\x6e\xb7\x21\xd9\xd2\x11\x26\x0e\xe3\x30\x36\xf9\xe8\xf4\xe4\xd5\xbb\xd1\xc9\x5f\x47\xc2\xd2\x37\x93\x7e\xbb\xd9\x5b\xfb\x15\x19\x0e\x2f\x4c\x06\x73\x53\xda\x2a\x64\x0d\x5a\x98\xf3\x1c\x25\xed\xc0\xa3\x17\x58\xa9\x7f\x56\xcd\x61\x6a\x34\x59\xa3\x14\x5a\x57\x79\xa8\x54\xce\xcf\xd8\xfe\xcd\xdb\xbf\xfd\xdd\x0b\xe7\x24\xa8\x74\x2c\x3a\xb9\x3d\x81\xfe\xa4\x4c\x24\xc1\xbc\xc2\x70\x65\x56\x03\x77\xb6\x07\x5d\xa5\xfc\xea\x2d\xf4\xaf\xa7\x6f\x2a\x9d\x06\xc8\x97\x22\xf7\xe9\x5d\x7e\x59\xc0\x8d\x5d\x51\x46\xdc\x73\x7e\x13\xe0\x76\x8e\x30\x6f\xfa\x08\xfd\xe6\xc0\x2c\x04\xa8\x13\xbf\xcb\x47\x75\x4c\x61\x33\xa4\x7f\x39\xb4\x6d\x8f\x8f\x7d\x0c\x8f\xde\x0f\x07\x01\x8f\xe4\xb3\xd1\x92\x8c\xf5\xbb\x24\x14\xf2\x30\x78\x7c\xa5\x2b\x85\x6a\x48\xc7\x63\x83\x98\x30\x20\x36\x3a\x91\x5c\x8c\x83\xd4\x9a\xbc\x3b\xeb\x00\xe0\xfc\x8a\x37\xec\xd2\x10\x8e\x99\x62\x2c\x7a\x62\x29\x0c\x55\x9b\x0d\xa9\x50\x8e\xdf\x9d\x64\x04\x38\x70\x06\xb6\x6b\x49\xa8\xa4\x23\xd0\xc6\xe6\x42\x81\xf3\xd3\x82\xf3\x2b\x86\x07\x3b\xcd\x85\x16\x19\x82\x95\xee\x86\x57\x65\x8f\xc2\x1a\x81\x19\x32\x6b\x79\x5a\x0b\x82\x40\x94\xb4\x36\x76\x0c\x9f\x05\x11\x7c\xb4\x88\x1a\x8e\xe1\x7d\x9e\xf1\xe9\xf4\x6d\x10\x14\xc2\x8a\x1c\x09\xad\x1b\x07\x00\xc7\x50\x91\x39\xd6\x24\x1e\x00\x00\x24\x98\x8a\x52\xd1\x18\xa6\xe3\x65\xbd\x30\xcb\xaa\x83\xaf\x4f\x97\x5b\xa9\x71\x43\x4b\x65\x32\xb7\x6c\xb6\x28\xc4\x0d\xdd\xb6\xbc\x09\xbf\x06\x9e\x11\x5b\xde\x52\xa9\x30\x08\xaa\xea\x3a\xc1\x3b\xf7\x06\x9b\x7c\x2f\xd1\xca\x4a\x87\x9f\x63\xb8\xab\x4f\x00\x17\xb3\x85\x77\xe4\x20\x82\xf9\xec\x62\x36\x5d\xc0\x10\x3e\x5c\x7f\xf9\x0c\x99\x32\xab\xfe\x5e\x8f\x1f\x96\xb8\xa8\x29\xed\x65\xe7\x5b\x93\x62\xd4\x1c\x06\x4f\x04\xab\x03\x90\xcc\xd1\x91\xc8\x8b\x3e\x16\x26\x5e\x47\x73\xdf\x8b\x70\x21\x73\x9c\x5a\x64\x86\x09\x2b\x11\x4b\x06\x30\x71\x15\xaa\xf8\xad\x1b\x14\xa0\x36\xf5\xdf\xcf\xcf\xc2\x7f\x0b\x55\x7a\x1e\xac\x05\x3f\x51\x9f\x9a\xbc\x28\x09\x2d\x6b\x36\xe7\x87\xaa\xde\xc3\x99\x20\x11\xd6\xa0\x62\x04\xb0\x41\xeb\xf5\x97\x36\x73\x99\xb4\x4c\xe6\x32\xf9\xb9\x45\x17\x6a\x6c\xd5\x95\x3c\xb4\xec\x9d\xdc\xf6\xe0\x2f\xcc\xb1\xb9\xa0\x7e\xf5\x27\xea\xfd\xe9\xb6\xf7\x12\x84\xcd\x5c\xd4\xca\xc5\x53\xcb\xc0\x27\xe2\x8f\xbf\x4a\xa2\x22\xae\x6e\x1a\x07\xd9\xef\x4f\xa4\x62\xb0\x03\x81\x2d\x76\x05\xfa\xb4\x9e\xfa\xf0\x47\xc3\x7c\xf1\x9e\x5c\xcb\x7f\x2d\x79\xa6\x7a\x2b\xb4\xcb\x25\x11\x26\xf5\xc4\x9c\xb7\x7e\x2c\xfe\xb9\x8f\xf3\x62\x92\x24\x16\x9d\xb7\xdc\xbf\x3c\xa7\x7f\x65\x2c\x55\xca\x7c\xda\x2b\x7a\x0c\xa6\xc6\xa2\x88\xd7\x6d\x18\x5a\xb3\x8d\x3c\x60\xdb\x3e\x19\xe0\xbb\xe8\x47\x27\x4a\x83\xe6\x8e\xd0\x7b\x2d\x84\x75\xf8\x8d\x39\xa6\xcf\x9e\x98\x34\xa2\x0f\xa5\x52\x57\x82\xd6\x83\x8e\xfa\xd7\x7f\xcc\xae\x67\x4f\x83\x2c\x6a\xee\xae\xee\x33\xb9\x3c\x83\xe7\x27\x0e\x11\x9c\xbe\xfe\x85\x5d\xb5\xa7\x10\xc1\xc9\x93\x8a\x7c\x09\x3d\x8d\xcf\xe8\x7f\xd0\xab\x2e\xbc\xbb\xe5\xf2\xe8\xa8\xf7\x1b\xcc\x1f\x00\x8f\x3d\x2c\x97\x47\xef\x0f\xa6\xf7\x83\x20\xb0\x58\x18\x4b\x35\xcb\xd2\xae\xc0\x31\x4c\x2f\xce\x67\x97\x0b\xaf\x45\x98\x17\x4a\xf0\x1d\xe5\x7f\x98\xf3\xd3\xe6\xe0\xf1\xe3\x1f\xde\x61\xad\x16\x3d\xff\x34\xde\x7e\xfc\x80\xf0\xec\xf0\x0f\x00\xdc\xdf\x1f\x3e\xfc\x93\x67\x0f\xbd\x7a\xdc\x07\xa6\x3c\x30\x5b\x87\xb2\x1e\xd2\xca\x63\x7c\x1f\xd6\xb6\x5a\x97\xea\x86\xe9\x57\x7f\xa2\x17\xed\xca\x5e\x0c\x7a\x70\x07\x0b\xff\x13\xff\xfe\x3e\xf8\x7f\x00\x00\x00\xff\xff\x0a\x90\x4f\x35\xc9\x0c\x00\x00") +var FileArtifactsDefinitionsWindowsEventLogsKerbroastingYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x57\xdd\x6e\xdb\xc6\x12\xbe\xe7\x53\x0c\x04\x9f\x13\x49\x27\x96\x1c\x27\xa7\x49\x05\x08\x88\x20\x2b\x89\x11\xc7\x71\x2d\xa6\xb9\xa8\x8a\x60\x45\x0e\xa9\x85\x97\xbb\xcc\xee\x50\xb2\x10\xbb\xcf\x5e\xcc\x92\x94\x48\xdb\x71\x8a\xf6\xb6\xbc\xf1\x72\x38\xff\x33\xdf\xb7\xb2\x16\x19\x8e\xe0\xb3\xd4\xb1\xd9\xb8\xc1\x6c\x8d\x9a\xce\x4c\xea\x06\xef\xd1\x2e\xad\x11\x8e\xa4\x4e\x83\x18\x5d\x64\x65\x4e\xd2\xe8\x11\xdc\x04\x00\xfd\xfe\xc9\x5e\xd4\xef\x8f\x20\x00\x08\x57\xd2\xc1\xc4\x92\x4c\x44\x44\xb0\x91\x4a\x81\x45\x2a\xac\x06\xa1\x14\xb8\x22\x8a\xd0\xb9\xa4\x50\xc0\xae\xd1\x1a\x07\xe1\xdb\x39\x84\x32\xba\x42\x02\xe4\xc0\x0e\x12\x63\xd9\xd5\x1c\xed\x5a\x46\x08\x93\x28\x32\x05\xcb\xbb\xf3\x8b\x73\x10\x44\x56\x2e\x0b\xc2\x1e\xc8\x2c\x57\x98\xa1\x26\x8c\x61\x23\x69\x05\x1b\x14\x57\x80\x3a\xb2\x5b\x9f\xd2\x00\xc2\x15\x3a\x64\x5f\xe4\x03\x38\x10\x16\x61\x5d\x28\x8d\x56\x2c\x15\x02\x19\x58\xda\x82\x90\x43\x46\xc8\xbe\x45\x74\x05\x42\xc7\x40\x5c\x87\xcf\x07\xa4\x03\xa1\x41\xea\x58\x46\x82\xca\xd4\x4c\x02\x02\x9a\xcd\xa9\x4c\x07\xc0\x5f\x7d\x6b\x26\x61\xf8\xdf\xe9\x7b\xee\xca\x6f\xe1\xb3\xe3\xa3\x57\x70\xd8\x32\xf8\xbd\xbb\x22\xca\xdd\x68\x38\xac\x2c\x33\x49\x16\x07\xc6\xa6\x43\xc2\x68\xa5\xe5\xd7\x02\xdd\xd0\x5b\x0e\x7b\xde\x65\xb8\xcd\x65\x24\x54\x15\x09\x2d\x64\x48\x2b\x13\x1b\x65\xd2\x2d\xe7\x48\x06\x12\x69\x1d\xa9\x2d\x58\x64\x6b\x02\x51\x77\x4e\x6a\xa0\x15\x42\x6c\x32\x21\x35\x3b\xf3\xed\x6a\xb5\xd3\x3d\x65\x15\xbd\xb7\xe5\x92\x1d\x46\x85\x45\x3f\xa2\xb2\x83\x7e\x36\xfb\x96\x49\x9d\x0e\x76\x53\xaf\xba\x27\x1d\xe4\xc2\x92\x8c\x0a\x25\xac\xda\x02\x26\x09\x46\x24\xd7\x08\x82\x1b\xb9\xad\xb3\x88\x2c\xc6\xa8\x49\x0a\xe5\x20\x12\x1a\x96\x08\x85\xc3\xd8\x4f\xcb\xec\x67\xeb\x13\x6f\x0c\xc6\x55\x5b\xb1\xab\xcd\x24\x84\x1a\x56\x62\x8d\x80\x0a\xd7\x82\xb7\x21\xb7\x72\x2d\x15\xa6\xe8\x7c\x7a\xad\x49\x35\x63\x71\x35\x3b\x5d\x40\x17\x09\x25\x78\x73\x80\xe5\x68\x9d\x74\x84\x3a\x42\x58\x6e\x41\xc4\xb1\x9f\xb3\xdf\xcc\x66\xe3\x38\x5b\xa1\xa1\xd0\x78\x9d\x63\xc4\xd1\xab\xd4\x1a\xcb\x70\x89\x09\x5a\xf6\x54\xee\xc3\x0a\x19\x22\xbc\x45\x27\x48\xdc\x1c\x9d\xd6\x78\x10\x8e\x60\xe2\xab\x75\xfb\x15\xd9\x6c\x36\x03\xb2\x85\x23\x8c\x1d\x46\x83\xc8\x64\xc3\xe3\xa3\x67\xaf\x86\x47\xff\x1f\x0a\x4b\x5f\x4c\xf2\xe5\x6a\x67\x5d\x6d\x4b\xbf\x7f\x66\x52\x98\x9b\xc2\x96\x41\x2b\x6c\xc3\x9c\x27\x2a\x69\x0b\x1e\xe4\xc0\x4a\xdd\x93\x72\x20\x53\xa3\xc9\x1a\xa5\xd0\xba\xda\x47\xa9\x74\x7a\xc2\x1e\x5e\xbc\xfc\xe9\xe7\x4a\x3c\x27\x41\x85\x63\xe1\xd1\xf5\x11\x74\x27\x45\x2c\x09\xe6\x25\xb6\x6b\xd3\x0a\xd2\xb3\x1d\x1a\x4b\xf5\x67\x2f\xa1\x7b\x39\x7d\x51\x6b\xd5\x18\x3f\x17\x99\x4f\xf3\xfc\x63\x08\x57\x76\x49\x29\xf1\x08\xf8\x4d\x80\xdb\x3a\xc2\xac\xee\x2a\x74\xeb\x03\x93\x16\xa0\x8e\xfd\x7a\x1f\xec\xe2\x0a\x9b\x22\x7d\x72\x68\x9b\x3e\xef\x7b\xe9\x1f\xbc\xee\xf7\xea\x09\x05\x00\x1f\x8c\x96\x8c\x6e\xde\x31\xa1\x90\xc7\xc3\x43\x2d\x5c\x21\x54\x4d\x4c\x1e\x35\xe4\x39\x25\x32\x3a\x96\x5c\x96\x83\xc4\x9a\xec\xce\x06\x04\x00\xa7\x17\xe5\xfc\xcf\x0d\xe1\x88\x89\xc8\xa2\x67\x9f\xdc\x50\xb9\xf5\x90\x08\xe5\xf8\xdd\x49\x46\x87\x03\x67\x60\xb3\x92\x84\x4a\x3a\x02\x6d\x6c\x26\x14\x38\x3f\x40\x38\xbd\x70\x3e\xb1\x00\x20\x13\x5a\xa4\x08\x56\xba\x2b\x5e\xa0\x1d\x46\x2b\x7c\xa6\xc8\xdc\xe6\xd9\x2f\x08\x02\x51\xd0\xca\xd8\x11\x7c\x10\x44\xf0\xd6\x22\x6a\x38\x84\xd7\x59\xca\xa7\xe3\x97\x41\x90\x0b\x2b\x32\x24\xb4\x6e\x14\x00\x1c\x42\x79\x0f\x60\xc5\xff\x01\x00\x40\x8c\x89\x28\x14\x8d\x60\x3a\x5a\x54\x4b\xb4\x28\x7b\xf9\xfc\x78\xb1\x91\x1a\xd7\xb4\x50\x26\x75\x8b\x7a\xb3\x06\xb8\xa6\xeb\x20\x28\x33\x6f\xf9\x6d\xdd\x26\xec\xfb\x6b\x81\x56\x96\x3a\xfc\x1c\xfa\x5b\xa5\x7c\xce\x66\x21\x24\x52\xa1\x83\x31\xcc\x67\x67\xb3\x69\x08\x7d\x78\x73\xf9\xf1\x03\xa4\xca\x2c\xbb\x3b\x3d\x7e\x58\xe2\xc6\x75\xd6\x4f\x5b\xdf\x84\x5f\x4a\x63\xc7\xf5\xa1\xf7\x40\xb0\x2a\x00\xc9\x0c\x1d\x89\x2c\xef\x62\x6e\xa2\xd5\x78\xee\xcb\x1c\x84\x32\xc3\xa9\x45\x26\x96\x41\x29\x62\x49\x0f\x26\xae\x04\x11\xbf\xb5\x83\x02\x54\xa6\xfe\xfb\xe9\xc9\xe0\x57\xa1\x0a\xcf\x7f\x95\xe0\x3b\xea\x53\x93\xe5\x05\xa1\x65\xcd\xfa\x7c\x57\xd5\x7b\x38\x11\x24\x06\x15\x76\x78\xcd\xd9\xa0\xf1\xfa\x43\x9b\xb9\x8c\x1b\x26\x73\x19\x7f\xdf\xa2\x8d\x27\xb6\x6a\x4b\xee\x5a\x76\x8e\xae\x3b\xf0\x3f\x66\xd6\x4c\x50\xb7\xfc\x33\xee\xfc\xe7\xba\xf3\x14\x84\x4d\xdd\xb8\x91\x8b\x67\x91\x9e\x4f\xc4\x1f\x7f\x94\x44\xc9\x53\xed\x34\xf6\xb2\xbf\x9f\x48\x49\x55\x7b\xa6\x0a\xb7\x39\xfa\xb4\x1e\xfa\xf0\x4f\xc3\x7c\xf4\x9e\x5c\xc3\x7f\x25\x79\xa4\x7a\x2b\xb4\xcb\x24\x11\xc6\xd5\xc4\x9c\xb7\xbe\x2f\xfe\xbe\x8f\xd3\x7c\x12\xc7\x16\x9d\xb7\xdc\xbd\x3c\xa6\x7f\x61\x2c\x95\xca\x7c\xda\x29\x7a\x0c\x26\xc6\xa2\x88\x56\x4d\x18\x5a\xb3\x19\x7b\xc0\x36\x7d\x32\xc0\xb7\xe3\x6f\xad\x28\x35\x9a\x5b\x42\xef\x35\x17\xd6\xe1\x17\xa6\x8f\x2e\x7b\x62\xd2\x18\xbf\x29\x94\xba\x10\xb4\xea\xb5\xd4\x3f\xbf\x9b\x5d\xce\x1e\x06\xd9\xd8\x5f\x54\x77\xea\x02\x98\x9c\x9f\xc0\xe3\x13\x87\x31\x1c\x3f\x87\x1f\x18\x96\x8b\x0a\x63\x38\x7a\x50\x91\xaf\x9a\x87\x01\x3a\xfe\x03\x3a\xe5\xc5\x76\xb3\x58\x1c\x1c\x74\xfe\x82\xf9\x1d\xe4\xb1\x87\xc5\xe2\xe0\x75\x87\xb5\x77\xe6\xb7\xbd\x20\xb0\x98\x1b\x4b\x15\xd5\xd2\x36\xc7\x11\x4c\xcf\x4e\x67\xe7\xa1\xd7\x22\xcc\x72\x25\xf8\x12\xba\x09\x2a\xb3\x26\x11\x8f\xee\xff\x00\x1f\x54\x6a\xe3\xc7\x9f\xda\xdb\xb7\x6f\x30\x68\xfc\x23\x00\xb7\xb7\xfb\x0f\xbf\xf0\x02\x40\xa7\x9a\xf9\x9e\x2e\xf7\xf4\xd6\xe2\xad\xbb\xdc\x72\x1f\xe4\xfb\xdd\x2d\x77\xa6\xbc\x66\xba\xe5\x9f\xf1\x93\x66\x65\x4f\x7a\x1d\xb8\x81\xd0\xff\xd0\xbf\xbd\x0d\x1a\xdd\x79\xf7\xe9\xdf\xde\xb4\x7a\xf3\x67\x00\x00\x00\xff\xff\x10\x08\xb2\x91\x00\x0e\x00\x00") // FileArtifactsDefinitionsWindowsEventLogsServiceCreationComspecYaml is "artifacts/definitions/Windows/EventLogs/ServiceCreationComspec.yaml" var FileArtifactsDefinitionsWindowsEventLogsServiceCreationComspecYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x8c\x54\x4d\x6f\xdb\x38\x10\xbd\xeb\x57\x3c\xe4\x64\x2f\x36\xc2\x22\xbb\x8b\x00\x06\x84\xdd\x40\x76\xda\x00\x76\x13\xc4\x6e\x73\x31\x50\x30\xd4\x58\x22\x22\x92\x2a\x87\x72\x62\x34\xed\x6f\x2f\xa8\x0f\xc3\x4e\xa3\xb4\xbc\x78\x66\xfc\xde\xbc\x99\xe1\x50\x46\x68\x9a\xe0\x4e\x99\xcc\x3e\x72\x3c\xdb\x92\xf1\x73\x9b\x73\xbc\x24\xb7\x55\x92\x52\x47\xc2\x2b\x6b\x52\xab\xb9\x22\x19\x65\xc4\xd2\xa9\x2a\x84\x26\x78\x8e\x22\x60\x55\x28\xc6\x94\x3c\xc9\x10\x44\xe1\x19\xd6\xc0\x17\x04\xf6\x4e\x99\x1c\x27\xe9\xf5\x62\x79\x33\x4b\x4f\x30\x32\x56\x0a\xa6\x31\x94\xe9\x15\xd1\xe9\x44\x40\x2f\x05\x0a\x45\x70\x8c\x55\x21\x3c\x14\x4f\xd0\x54\x75\x35\xc5\xf9\x5f\xff\xfc\x8b\x8d\xb3\xba\x49\xbf\xdc\xb1\x27\xdd\xa2\x51\xda\x3c\xc6\xbe\x9c\xac\x29\x87\xa1\x85\xd9\xa1\x10\xf2\x01\xde\xda\x92\xe1\x43\xc6\x92\xb6\xe4\x44\x4e\x58\xa6\x0b\xdc\x0b\xa6\x0c\xa5\xf0\xe4\x44\x09\x6d\xb7\xa4\x43\xba\x08\x50\x46\x96\x75\x16\x1a\x60\x7d\x4f\x4f\x24\xe3\x28\x12\xb5\x2f\xac\x9b\x60\x21\xbc\xc7\x3b\x47\x64\x70\x8a\xff\x75\x1e\xac\xb3\xf3\x28\xaa\x84\x13\x9a\x3c\x39\x9e\x44\xc0\x29\xda\xe1\x52\x37\xd4\x08\x00\x32\xda\x88\xba\xf4\x13\xa4\x93\x75\x37\x83\x35\x37\x9d\xfc\x7d\xb6\x7e\x54\x86\xb6\x7e\x5d\xda\x9c\xd7\x6d\x7b\x31\x6d\xfd\xd3\x41\x2e\x21\x25\x31\x5b\x77\x9c\xcb\xf8\x0d\x47\x11\xdb\xda\x49\x3a\x92\x7e\x71\x8b\x0d\xeb\x4b\x4d\x4e\xb5\xb0\x70\x4e\xf1\xdc\x59\xc0\x7c\xb6\xc2\x46\x95\xc4\x48\xb0\x9c\xcd\x67\xe9\x0a\x7f\xe0\xf2\xf6\x7a\x81\xbc\xb4\xf7\xa3\x3d\x2e\x9c\x10\xe1\xa4\xef\xed\xcf\xa3\xff\xfa\x2a\x93\xde\x18\xbf\x22\xd6\x0b\xec\x03\x8d\xd0\xc6\x3a\x12\xb2\x38\xd4\x72\xf6\x31\x69\xaa\x3a\x14\x09\x5d\xec\x92\xaf\x47\xb2\x5d\x46\xaf\x34\xb1\x17\xba\x1a\x51\x65\x65\x91\x74\x93\x5c\x29\xdd\x0e\x82\xb2\xb8\x0d\x85\xc8\x18\x17\xdc\x2e\x58\xf0\x8e\xdb\x40\xb7\x63\x71\xb7\x80\xf1\x27\x51\xd6\x04\xc1\xfd\x46\x0e\xc0\x53\xab\xab\xda\x93\x0b\xc8\xde\x1e\x80\x2e\x49\xd6\x4e\xf9\x5d\xfc\x91\xc9\x5d\x4d\x03\xa3\x0f\xfd\x9c\xbe\x51\x9d\x0a\x2f\xe2\x0b\x29\x6d\x6d\xfc\x07\xa1\xa9\xa5\x34\xd7\xdc\x45\x87\x69\x1d\xee\x05\x2d\xb8\xc3\x9c\x2b\x2d\x72\xba\x11\xbe\x08\x8c\xbd\xf3\x4b\x8d\xd5\xae\x3a\xd4\x08\xee\x1b\x1c\x2f\x9c\xdf\x33\x7a\xe7\xad\xcb\xb8\x25\x69\x5d\xd6\x0e\xec\x28\x30\x40\x9a\xd3\x96\xca\x00\x6e\x8c\x01\xd0\x75\x25\x6d\xd6\xd4\xd0\x5a\x03\xb0\x95\xe0\x87\x00\x0a\xbf\x47\x88\x66\x81\x2b\xe1\x98\x3e\x87\x67\x3b\x0a\x4b\x1b\xde\x61\x72\x59\x97\x65\x33\xb5\xe1\x97\xd1\x9e\xbb\xf7\xb3\xdb\xd9\xeb\x5b\x97\xb4\x9f\x3f\x61\x32\xfc\xc6\x5d\x25\xdf\x71\x32\xfa\x4f\x8d\xfb\x6f\xef\x9e\xf2\x6d\x1c\xfd\x08\x00\x00\xff\xff\x52\x93\x8e\xa0\xf3\x05\x00\x00") @@ -257,7 +257,7 @@ var FileArtifactsDefinitionsWindowsEventsDNSQueriesYaml = []byte("\x1f\x8b\x08\x var FileArtifactsDefinitionsWindowsEventsFailedLogBeforeSuccessYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xb4\x55\x4b\x8f\xda\x48\x10\xbe\xfb\x57\x94\xb4\x87\x81\xd5\x60\x46\x79\x1d\xd0\x12\x29\x21\xcc\x66\x24\x76\x26\x0a\x24\x51\xa4\x48\xa8\x69\x97\x4d\xef\xb4\xbb\x9c\xae\x32\x84\x7d\xfc\xf7\x55\xb7\x6d\x06\xa3\x49\x72\x5a\xdf\xfa\x55\xf5\x3d\xaa\xca\x4e\x95\x38\x81\x4f\xc6\x65\xb4\xe7\x74\xbe\x43\x27\x9c\x5e\x2b\x63\x31\x5b\x50\xf1\x1a\x73\xf2\xb8\xac\xb5\x46\xe6\x24\x43\xd6\xde\x54\x62\xc8\x4d\xe0\x9f\x04\x60\x49\x25\x8a\x29\x91\x41\x89\x28\x7d\x8f\x9e\x61\x6f\xac\x85\x8d\xaf\x05\x21\x27\xaf\x11\x94\x03\x4b\x5a\x59\xa8\x19\xfd\x05\x83\xd2\x9a\x6a\x27\x17\x9c\x00\x54\x8a\x79\x4f\x3e\x4b\xe1\x26\x07\xd9\x62\x77\x78\x3c\x00\xc3\xc0\xe2\xc9\x15\x97\xfd\xa0\x31\x1f\x83\xf2\x98\x00\x38\x12\xc0\x3c\x47\x2d\x66\x17\x12\x66\x50\x9a\x62\x2b\x71\xdf\x63\xe5\x91\xd1\x09\x28\xd8\x9a\x62\x0b\x3b\x65\x6b\x04\x0c\x4c\xc1\xb8\x04\x42\xde\x92\xd1\xee\x90\xd3\x24\x01\x78\x4b\x7b\xdc\xa1\xbf\x04\xd3\x40\x3a\x4b\x8b\x65\x25\xc0\x41\x11\xcc\xf8\x32\xdc\x70\x60\x24\xe0\x54\xb0\x43\x7f\x88\x49\x12\xe8\xa5\x19\xb0\x71\xfa\x34\x92\x71\x05\xa8\x1e\x49\x39\x54\x46\x2b\x6b\x0f\xa0\x12\x00\xae\xb9\x32\xda\x50\x1d\xe4\x12\xb3\x33\x72\x18\x46\x70\x77\x2e\x62\x42\x97\x55\x64\x9c\x80\x6c\x0d\x83\x25\xba\x67\xb0\xe6\x1e\x41\xc1\xa6\x76\x7a\x0b\x94\x43\x1e\x4d\x04\x4b\x05\xb9\x0e\x38\x37\x8c\xbf\xd6\x46\xdf\x37\x24\x98\x0d\x39\xc8\xc9\x5a\xda\x63\x06\x9b\x03\xa8\xee\x20\xaf\x6d\x78\x6d\x5c\xcc\x7c\x7b\xb7\x9a\x4f\xe0\xc6\x01\xf9\x0c\x7d\x60\xd1\x24\x57\x5e\x4c\xae\xb4\x80\x10\xec\xc9\xdf\xc3\x1e\xc1\x21\x66\x5d\x4d\x85\xfd\x4d\x30\xc9\x52\x51\x04\xde\x2d\xae\xce\xe9\x26\x03\xac\x42\x2c\xc3\xd1\x32\x72\x01\x47\x86\xb9\xaa\xad\x44\x3b\x79\x4b\xb5\xcd\x12\x80\x4d\xe0\xae\x36\x21\xc0\xce\x28\x28\x3c\xd5\x15\x54\x64\x8d\x3e\x44\x94\x5b\x91\x8a\x27\xe3\x71\x46\x9a\xd3\xd2\x68\x4f\x4c\xb9\xa4\x9a\xca\x31\xba\x51\xcd\xe3\x7d\x83\x6a\xcc\xa8\x6b\x6f\xe4\x30\x96\xad\x47\x25\xa3\xca\x93\x84\xfa\x21\x37\x56\x75\x66\xc4\xb8\x62\xbc\x51\x6c\xf4\x28\x2e\x47\x51\xc6\x51\xb4\x93\x43\xa2\xcf\x54\x83\x56\x0e\x18\x25\x3a\xd2\x60\x00\xe3\x7a\x98\xa0\x54\x4e\x15\x65\xa8\x01\x4d\x8e\xc9\x22\x0c\x8a\xaa\xd4\xc3\x49\x02\x30\xa3\xb2\xaa\x05\x3d\xcc\xc8\xe5\xa6\xa8\xbd\x0a\xe9\xbf\x74\xba\x2d\x51\x02\x0a\xfe\xb2\x6c\xa1\x3e\xec\x2c\x62\x3f\xbd\x0b\x29\x0c\xf2\x97\x57\x01\x61\xb3\x3c\xa4\x89\x1c\x2a\x9c\xc0\x6c\x71\x33\xbf\x5d\xad\xe7\x1f\xe7\xb7\xab\x24\xa9\x94\x57\x25\x0a\x7a\x0e\x89\x47\xd0\x74\x7d\xa7\xc1\x82\x8a\x6b\x63\x83\x47\xd0\xa9\x3e\x81\x97\xa3\xb8\x06\x98\x4d\xc6\x2d\xa4\xf1\xf2\xc0\x82\xe5\xd3\x27\x61\x03\x77\x32\x5e\x50\xc1\xe3\x0e\x5e\x8a\x3b\xf9\x96\x9c\x84\x0f\x46\xd7\x1e\x67\xc1\xe6\x36\xf6\xc9\xfc\x78\x65\xd1\x4b\xdb\x63\x1e\x43\x23\x37\xf5\x54\x2a\x77\xe8\x9e\x32\x6c\xe2\x00\x8a\x0a\xf7\xab\x92\x5c\xda\xc7\xfb\xf4\x3c\x75\x1c\x60\xe4\x56\xa6\xc4\x06\xff\xd9\xfd\x17\x57\x57\x49\xc2\x54\x7b\x8d\xad\x2a\x95\x47\x4d\x2e\x98\x4f\x6e\xd2\xb2\x5f\xce\x17\xf3\xd9\x0a\xee\x96\x70\xfd\xfe\xee\x0f\x30\x2e\xa7\xc1\x10\xf6\x11\xf3\xdd\x12\xa6\x70\xd1\x56\xd4\x45\x7c\xf0\xb5\x46\x6f\x9a\x78\xe1\x1b\xc5\x31\xd9\x7c\x8b\xf9\xaa\xc5\xb5\x6e\x7a\x72\xda\x05\x8f\x53\xf7\x8d\x12\x05\x8a\xa1\x99\xbd\xc7\xad\xcb\xe3\xfb\x00\x26\xea\xff\x70\xab\x59\x1f\x6f\x44\x84\x7b\x25\x7a\xbb\x0e\x5e\x0c\x72\x63\x31\xe8\x31\x3d\x33\x7a\x78\x7c\xf1\xe9\xed\xfc\xfd\xbc\x0d\xdb\x0c\xff\x9b\x37\xe9\xc7\x38\xb9\xa6\xf0\xec\xc5\x93\xe7\xc9\x77\x88\x58\xc5\xb2\x7e\xbe\x6e\xfa\xe1\x81\xc9\x39\xf8\xc7\x71\x1e\xb1\xe6\x26\xa7\x41\x90\xec\x30\x3d\x55\xa6\xc7\xf9\xe4\x2b\xd5\xb7\xb5\xa7\x3d\x4f\x9f\x5f\x5d\xfd\xe8\x8e\x2a\x70\xaa\x84\xcc\x80\xc5\x1b\x57\x4c\x1f\xad\x86\xe1\xb0\xe3\xf6\x0b\x5c\xc7\xe1\x1e\x8a\x2c\x20\x0a\x13\xab\x54\x82\xde\x28\x6b\xfe\xc2\xf4\x7b\x5e\x12\xc1\x6f\x47\xe6\xbf\x36\x8c\x7a\xba\x7c\x4f\xbc\xb6\x92\x7f\x58\x06\xed\x3f\xf7\x67\x75\xd0\x5e\xfb\xdf\x0b\xe1\xd9\x63\x5c\xfa\xd4\x43\xa3\x2a\xbd\x1d\x9c\x00\xf5\xb4\x9f\xf6\xc8\x9e\xb2\x68\x7c\xff\xbb\xc7\xab\x09\xd8\x23\x95\x06\xcb\x66\x61\x46\x63\x96\x36\x5b\x61\x07\x5e\x2d\xe1\xe8\xe8\x63\xc5\xd0\x0b\x72\xf9\x63\x3d\xdb\x0f\x5d\x5d\xa2\x57\x82\x03\x23\x58\xf2\xf4\xac\x9a\x87\x3f\x6b\xcf\x4e\xfd\x93\x9a\xbf\x84\xf8\x97\x6b\x03\xf6\x30\xc5\x70\x0f\xc3\xf1\xd4\xba\x7e\x15\x9d\x9c\x36\x36\x9d\x61\x48\x97\xf5\xe6\x4f\xd4\xf2\x81\xd1\xdf\xaa\x32\x38\x76\xce\xf6\xfc\xca\x69\xcc\xdf\xdf\xdf\x7d\x78\x07\xaf\x3f\x3f\xc8\x79\x72\xfa\xef\xb0\x4b\x1a\x91\xc2\x4b\x38\x6f\xac\x6e\xc2\x0f\x93\xff\x02\x00\x00\xff\xff\x20\x8b\x63\x71\x4b\x0a\x00\x00") // FileArtifactsDefinitionsWindowsEventsKerbroastingYaml is "artifacts/definitions/Windows/Events/Kerbroasting.yaml" -var FileArtifactsDefinitionsWindowsEventsKerbroastingYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xa4\x55\xe1\x6f\xdb\xb6\x13\xfd\xae\xbf\xe2\x21\xc8\xef\x07\xdb\x6b\xec\x34\xed\xd6\xce\x80\x81\x1a\x8e\xdb\x05\x4d\xdd\x20\xd6\xda\x0f\xf3\x10\xd0\xd2\x59\x22\x42\x91\x2a\x79\xb2\x63\xac\xdb\xdf\x3e\x90\x92\x1c\x3b\x4d\xdb\x61\xf3\x17\x53\xa7\x7b\xef\x8e\x77\xf7\x4e\x5a\x14\x34\xc4\x47\xa9\x53\xb3\x71\xfd\xe9\x9a\x34\xbb\xfe\x5b\xb2\x4b\x6b\x84\x63\xa9\xb3\x28\x25\x97\x58\x59\xb2\x34\x7a\x88\xcf\x51\x04\xc4\xb9\x74\x18\x5b\x96\x2b\x91\x30\x36\x52\x29\x14\x46\x4b\x36\x16\x42\x29\xb8\x2a\x49\xc8\xb9\x55\xa5\xe0\x89\xc8\x1a\x87\xf8\xcd\x1c\xb1\x4c\x6e\x89\x41\x21\x06\x56\xc6\x22\x02\xe6\x64\xd7\x32\x21\x8c\x93\xc4\x54\xde\xde\x99\x5f\xcd\x20\x98\xad\x5c\x56\x4c\x5d\xc8\xa2\x54\x54\x90\x66\x4a\xb1\x91\x9c\x63\x43\xe2\x16\xa4\x13\xbb\x0d\x39\xf5\x11\xe7\xe4\xc8\x73\x71\x08\xe0\x20\x2c\x61\x5d\x29\x4d\x56\x2c\x15\x81\x0d\x96\xb6\x62\xf2\x21\x13\xf2\xdc\x22\xb9\x85\xd0\x29\xd8\x5f\x24\xe4\x03\xe9\x20\x34\xa4\x4e\x65\x22\xb8\x4e\xcd\xac\x20\xb0\x5f\x8a\x06\xda\x87\x7f\x1b\x01\xbd\xde\x38\x8e\xff\x3f\x79\xdb\xeb\x0d\xf1\x5b\xfc\xf4\xec\xf4\x25\x4e\x0e\x00\xbf\x77\x72\xe6\xd2\x0d\x07\x83\x06\x59\x48\xb6\xd4\x37\x36\x1b\x30\x25\xb9\x96\x9f\x2a\x72\x83\x80\x1c\x74\x03\x65\xbc\x2d\x65\x22\x54\x13\x89\x2c\x0a\xe2\xdc\xa4\x46\x99\x6c\xeb\x73\x64\x83\x95\xb4\x8e\xd5\x16\x96\x3c\x9a\x21\xda\xca\x49\x0d\xce\x09\xa9\x29\x84\xd4\x9e\x2c\x94\xeb\xa0\x9c\xee\x89\x77\xd1\xf7\x58\x7f\x65\x47\x49\x65\x29\xb4\xa8\xae\x60\xe8\xcd\x7d\xc9\xa4\xce\xfa\x68\xdb\xde\x54\x4f\x3a\x94\xc2\xb2\x4c\x2a\x25\xac\xda\x82\x56\x2b\x4a\x58\xae\x09\xc2\x17\x72\xdb\x66\x91\x58\x4a\x49\xb3\x14\xca\x21\x11\x1a\x4b\x42\xe5\x28\x0d\xdd\x32\xf7\xbd\x0d\x89\xef\x35\xc6\x35\x53\xb1\xbb\x9b\x59\x31\x69\xe4\x62\x4d\x20\x45\x6b\xe1\xa7\xa1\xb4\x72\x2d\x15\x65\xe4\x42\x7a\x07\x9d\xda\x8f\xe5\x6f\xb3\xf3\x05\xb9\x44\x28\xe1\x27\x07\xde\x4e\xd6\x49\xc7\xa4\x13\xc2\x72\x0b\x91\xa6\xa1\xcf\x61\x32\xf7\x0b\xe7\xb3\x15\x1a\x95\xa6\xbb\x92\x12\x1f\xbd\x49\x6d\x6f\x18\xae\x69\x45\xd6\x33\xd5\xf3\x90\x93\xd7\x88\x9f\xa2\x73\x62\x5f\x1c\x9d\xb5\x7a\x10\x8e\x31\x0e\xb7\x75\xf7\x23\xb2\xd9\x6c\xfa\x6c\x2b\xc7\x94\x3a\x4a\xfa\x89\x29\x06\x67\xa7\x4f\x5f\x0e\x4e\x7f\x1c\x08\xcb\x37\x66\x75\x73\xbb\x43\x37\xd3\xd2\xeb\x5d\x9a\x0c\x73\x53\xd9\x3a\x68\x23\x63\xcc\x7d\x47\x25\x6f\x11\xf4\x0c\xef\xd4\x39\xaf\x1b\x32\x31\x9a\xad\x51\x8a\xac\x6b\x39\x6a\xa7\x8b\x73\xcf\xf0\xfc\xc5\x4f\x3f\x37\xe6\x39\x0b\xae\x9c\x37\x9e\xde\x9d\xa2\x33\xae\x52\xc9\x98\xd7\xda\x6e\xa1\x8d\xa4\xa7\x3b\x35\xd6\xee\x4f\x5f\xa0\x73\x3d\x79\xde\x7a\xb5\x1a\x9f\x89\x22\xa4\x39\x7b\x1f\xe3\xd6\x2e\x39\x63\xdf\x02\xff\x24\xe0\xb6\x8e\xa9\x68\xab\x8a\x4e\x7b\xf0\xfb\x09\xa4\xd3\x30\xde\xc7\xbb\xb8\xc2\x66\xc4\xbf\x3a\xb2\xfb\x9c\x5f\xb2\xf4\x8e\x5f\xf5\xba\x6d\x87\x22\xe0\x5d\xbb\xa6\x74\x0a\xa1\xc8\xb7\xc7\x37\xb5\x72\x95\x50\xbb\xc5\x64\x4d\xf1\xa0\xd7\x17\x57\x75\x9b\x67\x86\x69\xe8\xf7\x8d\xa5\xb0\x64\x4a\xc3\xf5\x70\x63\x25\x94\xf3\xcf\x4e\x7a\x11\x38\x38\x83\x4d\x2e\x99\x94\x74\x0c\x6d\x6c\x21\x14\x5c\xe8\x13\x2e\xae\x5c\x88\x1f\x01\x85\xd0\x22\x23\x58\xe9\x6e\xfd\x9c\xec\xa4\xd8\xc8\x30\x23\xbf\xc2\xc2\x92\x8b\xa2\x48\x54\x9c\x1b\x3b\xc4\x3b\xc1\x8c\x37\x96\x48\xe3\x04\xaf\x8a\xcc\x9f\xce\x5e\x44\x11\x6f\x4b\x1a\x62\x72\x79\x31\x9d\xc5\x37\xd3\x0f\xd3\x59\x1c\x45\xa5\xb0\xa2\x20\x26\xeb\x86\x11\x70\x82\x7a\xdb\x87\x8b\x5e\x9a\x2c\x02\x80\x94\x56\xa2\x52\x3c\xc4\x64\xb8\x68\xe6\x67\x51\x97\xf1\xd9\xd9\x62\x23\x35\xad\x79\xa1\x4c\xe6\x16\xed\x50\xf5\x69\xcd\x77\x51\x54\xdf\xe6\x80\xf7\xe0\xb3\xe1\xb9\x3f\x55\x64\x65\xed\xe3\x7f\x27\xf8\xdc\x9c\x80\xcb\x69\x8c\x95\x54\xe4\x30\xc2\x7c\x7a\x39\x9d\xc4\xe8\xe1\xf5\xf5\xfb\x77\xc8\x94\x59\x76\x76\x7e\xfe\xe7\x2d\x6e\xd4\x66\xdd\x7d\x84\xad\x61\x60\x59\x90\x63\x51\x94\x1d\x2a\x4d\x92\x8f\xe6\xe1\x1e\xfd\x58\x16\x34\xb1\xe4\x97\x46\xbf\x36\x79\x4b\x17\x63\x57\x0b\xc4\x3f\x3d\x39\x88\x08\x34\xd0\xf0\xfe\xe2\xbc\xff\x41\xa8\x2a\xec\xb6\xc6\xf0\x15\xf7\x89\x29\xca\x8a\xc9\x7a\xcf\xf6\xfc\xd0\x35\x30\x9c\x0b\x16\xfd\x46\x17\x7e\x84\x3d\x60\xef\xf1\xbb\x98\xb9\x4c\xf7\x20\x73\x99\x7e\x1d\x71\xa8\x15\x8f\x3a\xb4\x3c\x44\x1e\x9d\xde\x1d\xe1\x07\xbf\x35\x0b\xc1\x9d\xfa\x6f\x74\xf4\xbf\xbb\xa3\x27\x10\x36\x73\xa3\xbd\x5c\xc2\x86\xe8\x86\x44\xc2\xf1\x7b\x49\xd4\x3b\xe8\x30\x8d\x7b\xdb\xbf\x4f\xa4\x5e\x43\xf7\x5b\x28\xde\x96\x14\xd2\x7a\xec\xc5\x7f\x0d\xf3\x3e\x30\xb9\x3d\xfe\xc6\xf2\x8d\xdb\x5b\xa1\x5d\x21\x99\x29\x6d\x3a\xe6\x02\xfa\x4b\xf3\xd7\x39\x2e\xca\x71\x9a\x5a\x72\x01\xb9\x7b\xf8\x96\xff\x95\xb1\x5c\x3b\xfb\xd3\xce\x31\x88\x6c\x65\x2c\x89\x24\xdf\xd7\x99\x35\x9b\x51\x50\xe4\x3e\xa7\x57\xf0\x76\xf4\xc7\x41\x94\x56\xae\x07\xc6\xc0\xba\x11\x9c\xe4\x37\x7e\x3f\x74\x3c\x93\xdf\x0a\xa3\xd7\x95\x52\x57\x82\xf3\xee\x81\xfb\xc7\x5f\xa6\xd7\xd3\xc7\x45\x36\x0a\x1f\xa1\x07\xf7\x02\xc6\xb3\x73\x7c\xbb\xe3\x18\xe1\xec\x19\xbe\x03\xac\x07\x15\x23\x9c\x3e\xea\xe8\x3f\x23\x8f\x0b\x74\xf4\x17\x8e\xea\x8f\xd6\xe7\xc5\xe2\xf8\xf8\xe8\x1f\xc0\x1f\x28\xcf\x33\x2c\x16\xc7\xaf\x8e\xbc\xf7\x0e\xfe\x67\x37\xfa\x3b\x00\x00\xff\xff\x0b\xce\xec\x1d\x84\x0b\x00\x00") +var FileArtifactsDefinitionsWindowsEventsKerbroastingYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xa4\x55\x6f\x6f\xdb\xc6\x0f\x7e\xaf\x4f\x41\x04\xf9\xfd\x60\x7b\x8d\x9d\xa6\xdd\xda\x19\x30\x50\xc3\x76\xbb\xa0\xa9\x1b\xc4\x5a\xfb\x62\x1e\x82\xf3\x89\x92\x0e\x39\xdd\xa9\x77\x94\x1d\x63\xdd\x3e\xfb\xc0\x93\xe4\x3f\x69\xda\x0e\x9b\xdf\x58\xa2\xf8\x3c\xe4\x91\x7c\x78\x46\x14\x38\x84\x8f\xca\x24\x76\xe3\xfb\xb3\x35\x1a\xf2\xfd\xb7\xe8\x56\xce\x0a\x4f\xca\x64\x51\x82\x5e\x3a\x55\x92\xb2\x66\x08\x9f\x23\x80\x5e\x6f\xba\x37\xf5\x7a\x43\x88\x00\xe2\x5c\x79\x18\x3b\x52\xa9\x90\x04\x1b\xa5\x35\x14\xd6\x28\xb2\x0e\x84\xd6\xe0\x2b\x29\xd1\xfb\xb4\xd2\xc0\xdc\xe8\xac\x87\xf8\xcd\x02\x62\x25\xef\x90\x00\x43\x58\x48\xad\x63\xae\x05\xba\xb5\x92\x08\x63\x29\x6d\xc5\xf6\xce\xe2\x7a\x0e\x82\xc8\xa9\x55\x45\xd8\x05\x55\x94\x1a\x0b\x34\x84\x09\x6c\x14\xe5\xb0\x41\x71\x07\x68\xa4\xdb\x86\x9c\xfa\x10\xe7\xe8\x91\xb9\x28\x04\xf0\x20\x1c\xc2\xba\xd2\x06\x9d\x58\x69\x04\xb2\xb0\x72\x15\x21\x87\x94\xc8\xdc\x42\xde\x81\x30\x09\x10\x1f\x24\xe4\x03\xca\x83\x30\xa0\x4c\xa2\xa4\xa0\x3a\x35\x9b\x82\x80\xc3\xea\x34\xd0\x3e\xf0\xd7\x50\x9b\x71\x1c\xff\x7f\xf2\x96\xcb\xf2\x5b\xfc\xf4\xe2\xfc\x25\x9c\x1d\x01\x7e\xef\xe4\x44\xa5\x1f\x0e\x06\x0d\xb2\x50\xe4\xb0\x6f\x5d\x36\x20\x94\xb9\x51\x9f\x2a\xf4\x83\x80\x1c\x74\x03\x65\xbc\x2d\x95\x14\xba\x89\x84\x0e\x0a\xa4\xdc\x26\x56\xdb\x6c\xcb\x39\x92\x85\x54\x39\x4f\x7a\x0b\x0e\x19\x4d\x20\xda\xca\x29\x03\x94\x23\x24\xb6\x10\xca\x30\x59\x28\xd7\x51\x39\xfd\x13\x76\x31\x7b\x2c\x1f\xd9\xa3\xac\x1c\x86\x16\xd5\x15\x0c\xbd\xd9\x97\x4c\x99\xac\xbf\x6b\x7b\x53\x3d\xe5\xa1\x14\x8e\x94\xac\xb4\x70\x7a\x0b\x98\xa6\x28\x49\xad\x11\x04\x17\x72\xdb\x66\x21\x1d\x26\x68\x48\x09\xed\x41\x0a\x03\x2b\x84\xca\x63\x12\xba\x65\xf7\xbd\x0d\x89\x1f\x34\xc6\x37\x53\xb1\x3b\x9b\x4d\x09\x0d\xe4\x62\x8d\x80\x1a\xd7\x82\xa7\xa1\x74\x6a\xad\x34\x66\xe8\x43\x7a\x47\x9d\x3a\x8c\xc5\xa7\xd9\xf9\x02\x7a\x29\xb4\xe0\xc9\x01\xb6\xa3\xf3\xca\x13\x1a\x89\xb0\xda\x82\x48\x92\xd0\xe7\x30\x99\x87\x85\xe3\x6c\x85\x81\xca\xe0\x7d\x89\x92\xa3\x37\xa9\x1d\x0c\xc3\x0d\xa6\xe8\x98\xa9\x9e\x87\x1c\x59\x23\x3c\x45\x53\x24\x2e\x8e\xc9\x5a\x3d\x08\x4f\x30\x0e\xa7\xf5\xfb\x11\xd9\x6c\x36\x7d\x72\x95\x27\x4c\x3c\xca\xbe\xb4\xc5\xe0\xe2\xfc\xe9\xcb\xc1\xf9\x8f\x03\xe1\xe8\xd6\xa6\xb7\x77\x3b\x74\x33\x2d\xbd\xde\x95\xcd\x60\x61\x2b\x57\x07\x6d\x94\x0d\x0b\xee\xa8\xa2\x2d\x04\x89\x03\x3b\x75\xa6\x75\x43\x26\xd6\x90\xb3\x5a\xa3\xf3\x2d\x47\xed\x74\x39\x65\x86\xe7\x2f\x7e\xfa\xb9\x31\x2f\x48\x50\xe5\xd9\x78\x7e\x7f\x0e\x9d\x71\x95\x28\x82\x45\xad\xed\x16\xda\x48\x7a\xb6\x53\x63\xed\xfe\xf4\x05\x74\x6e\x26\xcf\x5b\xaf\x56\xe3\x73\x51\x84\x34\xe7\xef\x63\xb8\x73\x2b\xca\x88\x5b\xc0\x6f\x02\xfc\xd6\x13\x16\x6d\x55\xa1\xd3\x3e\xf0\xca\x02\x34\x49\x18\xef\xd3\x5d\x5c\xe1\x32\xa4\x5f\x3d\xba\x43\xce\x2f\x59\x7a\xa7\xaf\x7a\xdd\xb6\x43\x11\xc0\xbb\x76\x4d\x99\x04\x84\x46\x6e\x0f\x37\xb5\xf2\x95\xd0\xbb\xc5\xe4\x6c\xf1\xa0\xd7\x97\xd7\x75\x9b\xe7\x96\x70\xc8\xfb\xc6\x61\x58\x32\xa5\xa5\x7a\xb8\x21\x15\xda\xf3\xbb\x57\x2c\x02\x0f\xde\xc2\x26\x57\x84\x5a\x79\x02\x63\x5d\x21\x34\xf8\xd0\x27\xb8\xbc\xf6\x21\x7e\x04\x50\x08\x23\x32\x04\xa7\xfc\x1d\xcf\xc9\x4e\x8a\x8d\x0c\x33\xe4\x15\x16\x96\x5c\x14\x45\xa2\xa2\xdc\xba\x21\xbc\x13\x44\xf0\xc6\x21\x1a\x38\x83\x57\x45\xc6\x4f\x17\x2f\xa2\x88\xb6\x25\x0e\x61\x72\x75\x39\x9b\xc7\xb7\xb3\x0f\xb3\x79\x1c\x45\xa5\x70\xa2\x40\x42\xe7\x87\x11\xc0\x19\xd4\x17\x40\x38\xe8\x95\xcd\x22\x00\x80\x04\x53\x51\x69\x1a\xc2\x64\xb8\x6c\xe6\x67\x59\x97\xf1\xd9\xc5\x72\xa3\x0c\xae\x69\xa9\x6d\xe6\x97\xed\x50\xf5\x71\x4d\xf7\x51\x54\x9f\xe6\x88\xf7\xe8\x26\x61\xee\x4f\x15\x3a\x55\xfb\xf0\xef\x2c\xdc\x28\xf5\xef\x6a\x16\x43\xaa\x34\x7a\x18\xc1\x62\x76\x35\x9b\xc4\xd0\x83\xd7\x37\xef\xdf\x41\xa6\xed\xaa\xb3\xf3\xe3\x1f\x5b\xfc\xa8\xcd\xba\xfb\x08\x5b\xc3\x40\xaa\x40\x4f\xa2\x28\x3b\x58\x5a\x99\x8f\x16\xe1\x1c\xfd\x58\x15\x38\x71\xc8\x4b\xa3\x5f\x9b\xd8\xd2\x85\xb1\xaf\x05\xc2\x6f\x4f\x8e\x22\x02\x34\xd0\xf0\xfd\x72\xda\xff\x20\x74\x15\x76\x5b\x63\xf8\x8a\xfb\xc4\x16\x65\x45\xe8\xd8\xb3\x7d\x7e\xe8\x1a\x18\xa6\x82\x44\xbf\xd1\x05\x8f\x30\x03\x0e\x5e\xbf\x8b\x59\xa8\xe4\x00\xb2\x50\xc9\xd7\x11\xc7\x5a\x61\xd4\xb1\xe5\x21\xf2\xe4\xfc\xfe\x04\x7e\xe0\xad\x59\x08\xea\xd4\x7f\xa3\x93\xff\xdd\x9f\x3c\x01\xe1\x32\x3f\x3a\xc8\x25\x6c\x88\x6e\x48\x24\x3c\x7e\x2f\x89\x7a\x07\x1d\xa7\xb1\xb7\xfd\xfb\x44\xea\x35\xb4\xdf\x42\xf1\xb6\xc4\x90\xd6\x63\x1f\xfe\x6b\x98\xf7\x81\xc9\x1f\xf0\x37\x96\x6f\x9c\xde\x09\xe3\x0b\x45\x84\x49\xd3\x31\x1f\xd0\x5f\x9a\xbf\xce\x71\x59\x8e\x93\xc4\xa1\x0f\xc8\xdd\xcb\xb7\xfc\xaf\xad\xa3\xda\x99\x9f\x76\x8e\x41\x64\xa9\x75\x28\x64\x7e\xa8\x33\x67\x37\xa3\xa0\xc8\x43\x4e\x56\xf0\x76\xf4\xc7\x51\x94\x56\xae\x47\xc6\xc0\xba\x11\x24\xf3\x5b\xde\x0f\x1d\x66\xe2\xad\x30\x7a\x5d\x69\x7d\x2d\x28\xef\x1e\xb9\x7f\xfc\x65\x76\x33\x7b\x5c\x64\xa3\x70\x09\x3d\x38\x17\xc0\x78\x3e\x85\x6f\x77\x1c\x46\x70\xf1\x0c\xbe\x03\xac\x07\x15\x46\x70\xfe\xa8\x23\x5f\x23\x8f\x0b\x74\xf4\x17\x9c\xd4\x97\xd6\xe7\xe5\xf2\xf4\xf4\xe4\x1f\xc0\x1f\x28\x8f\x19\x96\xcb\xd3\x57\x27\xec\xbd\x83\xff\xd9\x8d\xfe\x0e\x00\x00\xff\xff\x65\xbd\xb8\x11\x97\x0b\x00\x00") // FileArtifactsDefinitionsWindowsEventsProcessCreationYaml is "artifacts/definitions/Windows/Events/ProcessCreation.yaml" var FileArtifactsDefinitionsWindowsEventsProcessCreationYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xd4\x94\xcf\x6f\xfa\x46\x10\xc5\xef\xfe\x2b\x9e\xa8\x2a\xa0\xe5\x47\x48\xd2\x54\x42\xf2\x21\x32\x8e\x62\x29\x01\x0a\x56\x38\xa2\xad\x19\xc2\xaa\xf6\xae\xb3\x3b\xc4\x42\x6d\xff\xf7\x6a\xbd\x40\x02\xb4\x4d\xa5\x9e\xbe\x73\x31\xc2\x33\xcf\xf3\x79\x33\xbb\x4a\x14\x34\xc4\x42\xaa\x95\xae\x6c\x2f\x7e\x27\xc5\xb6\x37\x35\x3a\x23\x6b\x23\x43\x82\xa5\x56\xc1\x8a\x6c\x66\x64\xe9\x7e\x0f\xf1\x47\x00\x44\x3a\xcf\x29\x63\x88\x3c\x47\xe9\x93\x91\xed\xb3\x41\x5e\x24\x08\x78\x57\xd2\x10\xd1\x53\x12\x8f\xd3\x65\xfc\x12\x8f\xd3\x20\x28\x85\x11\x05\x31\x19\x3b\x0c\x80\xef\x90\x6e\xa4\xc5\xdb\x96\xcc\x0e\x95\xcc\x73\x28\xcd\xb0\x44\x07\x55\xb2\xe0\x8d\x60\x64\xba\x28\x73\x62\x42\x25\x79\x23\x15\x06\xb0\x94\x69\xb5\xea\x05\x40\x17\x1e\xa2\x2a\xe4\x2f\x4e\x28\x00\x80\x15\xad\xc5\x36\xe7\x21\xe6\xf1\x53\x1c\xa5\xf8\x01\x0f\xb3\xc9\x33\x96\xcb\x44\x59\x16\x2a\xa3\x03\x5c\x8d\x8c\x45\x92\x3e\x26\x63\x0c\xb0\x78\x8c\x67\x71\xad\x00\xa4\xc2\xbc\x12\x1f\x0a\x90\xcc\xef\xd1\x5c\x48\x75\x73\xbd\xdc\x1b\xd4\x0c\xce\x19\xa4\xc5\x5a\x58\x26\x83\x5f\xb7\xae\x6b\xc5\x42\x2a\x8b\xdc\x19\xb4\x12\x2c\x7a\x48\xd6\xe0\xcd\x91\xaf\xae\x67\x32\x85\x54\x82\x1d\xac\xd6\x78\xdb\xca\xec\xb7\x7c\x87\x8a\x50\x48\x6b\x21\xd9\x3a\xfe\x42\xa8\x55\x2e\x15\x7d\x46\xae\xad\xfe\x12\xfa\xa4\xe7\x39\x0b\xc3\xa9\x11\x19\x05\x81\xd5\x5b\x93\x51\x3d\x89\x2e\x4a\x53\x3b\x2a\xeb\x29\xef\x1d\xd8\xeb\x4c\xe6\x78\x30\xba\x80\x54\x6b\xdd\x6a\xa3\xda\x90\x21\xf7\x67\x88\x66\xe5\x37\xa7\x59\x17\x38\x0f\xa4\xd7\x73\xd1\xad\x77\xc5\x47\xbf\x8f\x48\xab\x77\x32\x5c\xe3\xb3\x2c\xc8\xb2\x28\x4a\xac\x9d\xf0\x42\xaa\x07\x99\x53\x2a\x0b\x02\x6b\xc4\xa5\xce\x36\xbd\x63\xed\xbe\x8b\x63\x4d\x8b\xdc\xfb\x50\xb0\x96\x2d\xcb\x46\xaa\xd7\x70\x2a\x8c\xa5\x5e\x9a\x3c\xc7\xcb\x68\x16\xdf\xa7\xf1\xa8\x8d\x3e\x06\x57\x3e\xd0\xc5\x60\x70\x77\x7b\x7b\xfb\xf3\xcd\xdd\xd5\x15\xda\x10\x16\xe9\x41\xad\x73\xfc\xce\x3e\xbc\xd6\x54\x18\x52\xbc\x37\x2d\x19\xb9\x92\xe9\x34\x19\xfd\x53\xf6\x49\xde\x57\x69\x63\x51\x90\x4b\x74\xcf\x0e\x7e\x3f\xcf\x3d\x12\x47\x7e\xea\x4f\x52\xd1\x65\x4e\x3d\xda\xaa\x90\xad\xcb\x57\x7e\x12\xbb\xb0\xf1\x2f\x7b\xe0\x37\x1d\x1f\x8d\x87\x68\xe0\xc7\xbf\xd3\xc2\x5a\x9b\x42\x70\xcb\x3f\xc2\xc6\xf7\xef\x8d\x0e\x84\x79\xb5\xe1\x19\x7b\xfb\x82\xda\x85\xdb\x54\x5b\x8a\x8c\xc2\xc6\x6c\x32\x49\xfb\x51\xf2\xfc\x72\xdd\x68\x9f\xa7\xfe\x89\xfb\xf9\x67\xe0\x0b\xad\x6f\xde\xa6\xd3\x85\xfa\xff\x66\x79\xc1\x44\xad\x75\x70\x0e\xbb\xf4\x77\xf0\x09\xb3\x67\xfd\xb8\x31\x4e\xbe\x5f\x09\xc9\xe1\x4f\xfe\xb4\x74\xfc\x71\x1d\xe9\xfa\x32\x76\xa7\x0e\x7a\xcb\xbd\xe0\x3f\xb4\xf9\x57\x00\x00\x00\xff\xff\x21\xa8\xbf\xa9\x4e\x06\x00\x00") @@ -340,6 +340,9 @@ var FileArtifactsDefinitionsWindowsRegistryNTUserYaml = []byte("\x1f\x8b\x08\x00 // FileArtifactsDefinitionsWindowsRegistryNTUserUploadYaml is "artifacts/definitions/Windows/Registry/NTUser/Upload.yaml" var FileArtifactsDefinitionsWindowsRegistryNTUserUploadYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x6c\x53\xdd\x6a\xdb\x4c\x10\xbd\xdf\xa7\x38\xf8\x26\x36\x5f\xa2\x07\x30\xf8\x22\x7c\x51\x08\x34\x75\xc0\x76\x30\x85\x40\x99\xac\xc6\xd6\xb6\xd2\xae\x3a\xb3\x8a\x63\x28\x7d\xf6\xb2\x2b\xe5\x47\xd0\xb9\x91\x18\xcd\x9c\x39\xe7\xcc\xc8\x53\xcb\x4b\xec\x9d\xaf\xc2\x49\x8b\x0d\x1f\x9d\x46\x39\x17\xeb\xdd\xa3\xb2\x14\x8f\x5d\x13\xa8\x32\x15\xab\x15\xd7\x45\x17\xfc\x12\xbf\x0d\xb0\xab\x9d\x82\x24\xba\x03\xd9\x08\x1b\x9a\x86\x6d\x54\x50\xd3\x20\xd6\x8c\x5e\x59\x2e\x14\x23\x48\x45\x11\x32\x02\xa3\x76\x2f\xac\x85\x31\xc0\xbe\x66\x0f\xca\xb5\x68\xc2\x51\xe1\x7c\x0c\x20\x9c\x06\x2e\x68\xc9\xd6\xce\x73\x06\xd4\xb3\x46\x6e\x61\x85\x29\xb2\xa6\x94\x13\x84\x93\x37\xc0\xac\x93\x70\x70\x0d\xcf\x70\xaa\x9d\xad\x61\x83\x57\xa7\x51\x11\x0e\xa0\xe9\x5c\xb4\xd4\x75\x5c\x0d\x83\x62\xcd\x06\xb8\xfb\x52\x7e\xfb\xfe\xb8\x2d\x37\xdb\x5c\x51\x0c\xca\x72\x71\x02\x85\x53\x34\xc1\xfe\xe4\x0a\x94\xde\xfc\x31\x3d\xdf\x24\xc2\xa9\x41\xe2\x7e\xcc\xa0\x59\xd5\xd4\x99\xe7\x73\x47\xaa\x03\xe3\x0c\xe4\xfc\x11\x2d\xdb\x9a\xbc\xd3\x16\xcf\x67\xf0\x6b\x14\xb2\x31\xe5\x07\x46\x53\xa7\xd0\x6b\xfa\x24\x74\xc2\x7a\x77\xbb\x45\x47\x92\x12\x05\xf6\xd9\x18\x8f\x1f\xbd\x46\xf4\x79\x4d\xd9\xfe\xdc\x65\x80\x41\x21\x94\xe5\x85\xa5\x30\xa6\x23\xa1\x96\x23\x8b\x2e\x0d\x70\x85\x61\xef\x49\xc5\x86\x8f\xfc\x6a\x00\xa0\xe2\x03\xf5\x4d\x5c\xa2\x30\x46\x43\x2f\x96\xc7\xe2\x4e\xd8\x06\x5f\xb9\x8f\x03\x48\xb1\x2d\xef\xcb\xff\x77\x78\xd8\xe2\x56\x42\x0b\xe7\x0f\x61\xbe\xc0\xa9\x66\xe1\x94\x5c\xe1\x62\x5c\xe5\x45\x6e\xf8\xd5\xb3\xb8\x01\x31\xc5\xd5\x3b\x0e\x70\x5f\xee\x32\x15\xc5\xea\x0d\x75\x4d\x2d\x5f\xe2\xc6\x09\xdb\x18\xe4\x9c\x6c\xbf\x0b\x2d\xdf\x38\x79\xef\x4a\x71\xbb\x79\xf8\x8a\xeb\xd1\xee\xe2\xed\x8c\xb7\x67\x2d\xd2\xe9\xe9\x7c\x31\xa9\xde\xdf\x95\x9b\xf2\x13\xe8\xf5\xfa\x26\x0f\xc2\xea\xcf\x27\x2b\xfe\x41\x70\x24\x35\xf8\x3c\x4f\x97\xb1\xe2\xd7\x8e\x7c\x35\xef\x28\xd6\xab\x91\xd9\x02\xff\x61\xf6\xf4\xe4\x63\x3f\x9e\xfd\xec\x72\x32\xfe\x23\xc8\x5a\x56\x0d\xb2\x9a\xf9\x78\xd0\xd9\x22\xc9\x1b\xff\xb5\x89\xb2\x6c\x8a\xf9\x1b\x00\x00\xff\xff\xb8\xc4\xb8\x1a\xa4\x03\x00\x00") +// FileArtifactsDefinitionsWindowsRegistryPortProxyYaml is "artifacts/definitions/Windows/Registry/PortProxy.yaml" +var FileArtifactsDefinitionsWindowsRegistryPortProxyYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x54\xc1\x6e\xdb\x46\x10\xbd\xf3\x2b\x06\x3a\xd4\x92\x6c\x53\x69\x2f\x45\x59\x08\xa8\x2b\xcb\x76\x60\x29\x76\x2d\x06\x81\x51\x07\xc6\x6a\x39\x14\x17\x21\x77\xe9\xd9\xa1\x64\xc2\xc9\xbf\x17\xbb\x14\x45\xa9\xa9\xd1\xf6\xd0\x43\x81\xe8\x20\x90\xc3\x99\xf7\x66\xde\xbc\x5d\x2d\x0a\x8c\xe0\x83\xd2\x89\xd9\xd8\xf0\x0e\x57\xca\x32\xd5\xe1\xad\x21\xbe\x25\xf3\x5c\x07\x09\x5a\x49\xaa\x64\x65\x74\x04\x9f\x03\x00\x80\xe1\xf0\xbc\x0b\x0e\x87\x11\xf8\x68\x9c\x29\x0b\x82\x58\xa5\x42\x32\x6c\x54\x9e\x03\x21\x57\xa4\x41\xe8\x1a\x14\x63\x61\x41\x69\xe0\x0c\x5b\x3a\xd8\xb1\x80\x45\x5a\x2b\x89\x0d\x12\x6d\xbb\x80\x52\x70\x16\x42\x9c\x21\x14\xc6\x32\x48\x53\x14\x46\x83\x34\x3a\x55\xab\x8a\x84\xa3\x07\x93\x02\x3b\xe6\x16\x41\x59\x58\x2b\xe1\x68\x3c\x56\x6e\xf2\xa5\xd2\xa0\x91\x6d\x16\xe2\x33\xfe\x0c\x73\x64\x61\x4b\xa3\x18\x84\x4e\xc0\x70\x86\xd4\x22\x0b\x66\x21\x3f\x01\x1b\x93\x5b\x10\xb9\x35\x90\x89\xf5\xb6\xa9\x43\xd6\xc2\x24\x55\x8e\x36\x0c\xb6\x82\xdc\x61\x8a\x84\x5a\xa2\x93\xe3\x77\x37\x17\x34\x83\x25\xc8\x28\x5d\xc9\x47\x9f\xd9\xcf\x98\xcb\x68\x34\xda\x6c\x36\x61\x92\x2a\xd2\x86\xd1\x86\x1a\x79\x54\x1a\xe2\xd2\x95\x3c\xee\x4a\x46\x03\x80\x96\xe0\x2c\x8e\xbf\x9b\x5c\x7b\xf4\xf8\xfb\x37\x3f\xbd\x81\x53\x98\x18\xad\x9b\xc4\x86\xeb\xa3\x07\xb7\xd1\x68\xd4\xcc\x11\x16\x8a\x09\x43\x43\xab\x11\xa3\xcc\xb4\x7a\xaa\xd0\x8e\x7c\xb5\x47\x76\xc0\x67\xc9\x1a\xc9\x0a\x52\x68\xa1\x10\x35\x54\x16\x41\xb8\x59\x5b\x64\xdf\x12\xb0\x81\x44\x11\x4a\x76\x42\x6e\x0c\x7d\x02\x26\x91\xa6\x4a\xc2\x12\x79\x83\xa8\x3d\x98\xad\xad\xdf\xb2\x21\x70\x16\x10\x16\x84\x06\xa5\x19\xa9\xc0\x44\x09\xaa\x21\x35\xb4\x43\x70\x9a\x57\x5a\x49\x2f\xa8\x75\x14\xc2\xc7\xdc\x56\x3c\x9c\x7b\x90\x46\x33\x99\xdc\x6f\x17\xc9\x27\xad\x8d\x4a\xda\x6e\xba\x46\x3d\x00\x67\xa8\x08\x94\x4e\x49\x58\xa6\x4a\x72\x45\x18\x7a\xac\x40\x54\x9c\x19\x8a\x60\x2e\x98\xe1\x92\x10\x35\x9c\xc2\x2f\xc5\xca\x3d\xfd\xf0\x63\x10\x94\x84\xd2\xe8\x44\x35\x3e\x5f\x4c\x67\xd3\x49\x0c\x37\x0b\xb8\x20\x53\x38\x44\xd3\x1f\xc0\x26\x43\x42\x17\x1c\xc3\xd1\xa6\xb1\xf0\x51\x10\x94\x82\x44\x81\x8c\x64\xa3\x00\x4e\xa1\x39\x50\xd7\x58\x5f\xe6\x66\xe9\xb8\x13\x4c\x45\x95\x73\x04\x57\xd7\xd3\xfb\xc7\xd9\xcd\xe4\x6c\xf6\x38\x3f\x9b\x5c\xbd\x7d\x37\x7d\x58\xdc\x2f\xe2\xe9\xfc\x61\x38\x69\xc6\x5c\x20\x0f\x1f\xb6\x46\xb6\x0f\xbb\xd3\xf1\x30\x1c\x06\x81\x35\x15\x49\xdc\xe7\xe8\xce\x28\x00\x3c\x55\xe8\x96\x18\xf9\x69\xe1\xb4\x9d\xe0\xa2\xca\xf3\x5b\xc1\xd9\x49\x13\x77\xbf\xa5\xb0\xe8\x00\xfa\xee\x74\x8d\x13\x45\xaf\xbc\xb4\xa5\x83\xc1\xc0\xad\xd2\x33\xc5\x75\x89\xff\x0c\xaa\xab\xde\x16\xb3\x91\x26\xdf\xab\x25\x5c\xe1\xf3\x23\x61\x99\x0b\x89\xfd\x66\xba\xf1\x21\xe0\x0e\xe3\x84\x70\xdc\x1b\xf5\x4e\xb6\xd9\xe3\x5e\xd4\xf3\xb0\x33\x65\x19\xb5\xd2\xab\xbf\xc3\x3d\x17\x2c\xc2\xb5\xc8\x2b\x7c\x0d\xea\x1c\x2d\x2b\xed\xbd\xb8\x07\xc6\xaa\x40\xcb\xa2\x28\xfb\x58\x1a\x99\x8d\xe7\x2e\x10\x5a\x94\xbe\x66\x6e\x12\x95\x2a\x4c\x62\x55\xec\xab\xe2\x44\x6a\xdf\x2e\xee\x6e\xe6\xb0\xca\xcd\xb2\xef\xfe\xec\x78\xeb\x8b\x13\x10\x52\xa2\xb5\x86\xc6\x3d\xc2\x55\x6f\xd0\xe6\x7f\xb8\x9a\xde\x4d\x1b\x84\x20\x20\x74\x97\x82\xdf\xe9\x29\x70\x5d\x62\x04\x93\xd9\xdb\xe9\xbb\xd8\x67\x33\x16\x65\x2e\x18\xdd\xad\xbc\x2d\xf7\xf7\xce\x85\xa1\x8d\xa0\x44\xe9\xd5\x9f\x2c\x02\x00\xe3\x57\x7f\xdb\x84\x97\x17\x08\xf7\x2e\x77\xf8\xf2\x65\xfb\xa1\xfb\x9e\x60\xaa\x34\x42\xaf\xe9\xae\xd7\xa5\x00\xc0\x6c\x1a\x43\x13\x87\x71\x6b\xc1\xdd\xee\xa1\xcb\x73\xbd\xee\xfc\x74\x18\xef\x76\x7a\x18\xdf\x5f\xd0\xe1\x97\x57\xd6\xb0\xcf\x01\xc7\xbb\x36\xe0\xb8\xa3\x80\xe3\x7d\x58\xb7\xd2\x45\x73\xf8\xae\xb1\xee\x80\xfc\x0e\x1b\x23\xb5\x7e\x3a\xda\x09\x7b\x34\xe8\x12\x2f\xef\x6e\xde\xdf\xc2\xaf\xf7\x5f\xa3\xbc\xbc\x00\xea\xe4\xaf\xd4\xfc\xad\x42\xaa\x3b\x31\xa1\xd7\xa9\xd6\xca\xd3\x09\xb8\xa7\xcd\x81\x1c\xfb\x0a\x34\xed\xb6\x78\x9f\x21\x16\xcb\x1c\x0f\x98\x5b\x2f\x5d\xbd\xff\x9f\x39\xe9\xe2\x29\xd1\x5f\x2d\xf8\x9b\xb7\xfe\xb5\xb7\xbc\x8e\xff\x81\xc3\xfe\x08\x00\x00\xff\xff\x92\x47\xcc\x28\x4c\x0a\x00\x00") + // FileArtifactsDefinitionsWindowsRegistrySysinternalsEulacheckYaml is "artifacts/definitions/Windows/Registry/Sysinternals/Eulacheck.yaml" var FileArtifactsDefinitionsWindowsRegistrySysinternalsEulacheckYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x74\x53\xd1\x6e\xe3\x36\x10\x7c\xe7\x57\x0c\x8c\x02\xb6\x13\x47\x40\x5f\x8d\xea\xc1\x48\x15\xa4\xb0\x13\x07\x96\x8d\xa0\x88\x52\x83\x91\x56\x32\x11\x4a\x54\x97\x54\x5d\xa1\xe9\x7d\xfb\x81\x92\x73\x51\x7c\x77\x7e\xb1\x44\xce\xce\xce\xcc\xae\x2a\x59\xd2\x1c\x8f\xaa\xca\xcc\xd1\x06\x1b\x2a\x94\x75\xdc\x06\x71\x6b\x55\xe5\x88\x2b\xa9\x6d\x10\x35\x5a\xa6\x07\x4a\x5f\x45\x46\x36\x65\x55\x3b\x65\xaa\x39\xde\x04\x70\xed\x8f\x2d\x72\xc3\x70\x07\xc2\x22\x4d\xa9\x76\x94\x61\x58\x8f\x68\xb7\x5a\x20\x67\x53\x76\x18\x3e\xf5\xc0\x2b\xb5\x02\x18\xdd\x2e\xaf\x77\x49\x6c\x72\x77\x94\x4c\xc9\xb0\x30\x79\xda\xae\xd7\xab\xe7\x64\x14\x00\x8f\x07\xaa\x20\x3f\xf3\x3a\x63\x34\x94\x15\x40\xae\xd8\x3a\x70\x53\xc1\x78\x94\x6d\xad\xa3\x72\xd6\xb5\xeb\x9a\x97\x8d\x75\x78\x21\xc8\x93\xbe\x00\xdb\x83\xb2\x38\xb2\x72\x64\x21\x05\xf0\x8f\xd4\x0d\x21\x95\x5a\x53\x06\x6f\xf8\x9b\x95\xa6\xca\xc8\xbb\x93\xce\x2b\x0e\x84\x00\xee\x8d\xa3\x79\x4f\x21\xd9\xa9\x5c\xa6\x0e\x8d\x25\x8b\xdb\x65\xf4\xe7\x7e\x17\x47\x9b\x18\xb2\xca\x7c\x7f\xa6\xdc\x30\xe1\xa8\xb4\x46\x65\x1c\x32\x72\x94\x3a\x01\x8f\x67\xdb\xd3\x4a\xa6\xee\x2e\x6d\x98\xa9\x72\xba\x85\x36\x45\x41\x19\x4c\x15\x08\x51\x4b\x96\x25\x39\x62\x3b\x17\x00\xae\xd0\x8f\x6c\x98\xc4\x7e\x43\xc5\x7e\xd9\xc5\x09\x20\xa3\x5c\x36\xda\xcd\x07\x6a\x92\x8b\x9f\x24\x7c\x31\xa4\xf4\x92\x36\x54\xd0\xbf\x67\x3c\x81\x10\xd6\x34\x9c\x52\xa7\xe0\x0a\x35\x53\x6a\xaa\x4c\x75\x6b\xd0\x63\x11\x47\xab\xe8\x7a\x8b\x75\x8c\x1b\x3f\x68\x55\xe5\x66\x32\xc5\xd1\x07\xe0\x0f\x43\x8c\x8f\xfd\x8e\x8d\x45\x57\xf1\x77\x43\xac\x7a\x42\x4f\xf9\x76\xa2\x59\x45\xdb\x53\x32\xbf\x85\xef\x9c\xf7\xb2\xa4\x19\x76\xbb\x3f\x7e\x3f\x81\xfc\xef\x66\xb3\xbe\xc3\xe2\x14\x7e\xf0\xbe\xbf\x71\x6b\x83\x9d\x2f\x9f\x4c\x07\xd8\xc7\xdb\x68\x13\x75\x34\x08\xbf\x9c\xb9\xfc\x68\x7d\xea\xb6\xa4\x36\xe8\xa0\xd2\xe2\x81\x4d\xc1\xb2\xec\x04\x0c\xf8\x80\x0e\x75\xd3\x68\xfd\x20\xdd\xc1\x23\x97\xd4\x9e\x21\x9c\x2a\xc9\x3a\x59\xd6\x13\xaa\x4d\x7a\x08\x7d\xc5\x9d\x3f\x0c\x62\x4a\xa7\x58\xc4\xd8\xaa\x92\xde\xb7\xec\xac\xf8\xbf\xcf\xaf\x1f\xea\x3a\x65\x9d\xf7\x3e\xa5\xde\x9a\xcf\x26\x64\xef\x69\xcf\x54\x6b\x99\xd2\xe4\x3b\x02\x00\xfd\x10\xc3\xa1\xf6\x19\x98\xc2\x51\x70\x99\x24\x49\x32\x89\xaf\x9e\xfe\xf2\x0f\xcf\x97\x53\xff\x17\x5c\x8e\xfc\x75\xc7\x17\x8e\x7e\xf9\x75\x34\xfd\x4c\xfa\xbf\x37\xee\xd3\x3e\x13\x3f\xfc\x7a\xc4\x60\x5a\x4c\x32\xdb\x33\x15\xfb\x57\x6a\x27\x85\x36\x2f\x36\xb4\xb5\x56\x6e\x62\x1d\xab\xaa\x08\x7f\xb4\xd1\x33\x58\xaa\xc3\xf1\xec\x29\x49\xec\xf3\xc5\x78\x3a\x15\x5f\x03\x00\x00\xff\xff\x4f\x6d\x2e\x98\xb1\x04\x00\x00") @@ -4301,6 +4304,40 @@ func Init() { + rb = bytes.NewReader(FileArtifactsDefinitionsWindowsRegistryPortProxyYaml) + r, err = gzip.NewReader(rb) + if err != nil { + panic(err) + } + + err = r.Close() + if err != nil { + panic(err) + } + + + + f, err = FS.OpenFile(CTX, "artifacts/definitions/Windows/Registry/PortProxy.yaml", os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0777) + if err != nil { + panic(err) + } + + + + _, err = io.Copy(f, r) + if err != nil { + panic(err) + } + + + + err = f.Close() + if err != nil { + panic(err) + } + + + rb = bytes.NewReader(FileArtifactsDefinitionsWindowsRegistrySysinternalsEulacheckYaml) r, err = gzip.NewReader(rb) if err != nil { diff --git a/bin/repack.go b/bin/repack.go index f888292446e..900ac1729f7 100644 --- a/bin/repack.go +++ b/bin/repack.go @@ -20,6 +20,7 @@ package main import ( "bytes" "compress/zlib" + "encoding/binary" "fmt" "io/ioutil" "os" @@ -43,6 +44,10 @@ var ( "config_file", "The filename to write into the binary."). Required().String() + repack_command_append = repack_command.Flag( + "append", "If provided we append the file to the output binary."). + File() + repack_command_output = repack_command.Arg( "output", "The filename to write the repacked binary."). Required().String() @@ -90,7 +95,7 @@ func doRepack() { err = validate_config(config_data) kingpin.FatalIfError(err, "Config file invalid") - // Compres1s the string. + // Compress the string. var b bytes.Buffer w := zlib.NewWriter(&b) w.Write(config_data) @@ -125,6 +130,36 @@ func doRepack() { data, err := ioutil.ReadAll(fd) kingpin.FatalIfError(err, "Unable to read executable") + if repack_command_append != nil { + // A PE file - adjust the size of the .rsrc section to + // cover the entire binary. + if string(data[0:2]) == "MZ" { + stat, err := (*repack_command_append).Stat() + kingpin.FatalIfError(err, "Unable to read appended file") + + end_of_file := int64(len(data)) + stat.Size() + + // This is the IMAGE_SECTION_HEADER.Name which + // is also the start of IMAGE_SECTION_HEADER. + offset_to_rsrc := bytes.Index(data, []byte(".rsrc")) + + // Found it. + if offset_to_rsrc > 0 { + // IMAGE_SECTION_HEADER.PointerToRawData is a 32 bit int. + start_of_rsrc_section := binary.LittleEndian.Uint32( + data[offset_to_rsrc+20:]) + size_of_raw_data := uint32(end_of_file) - start_of_rsrc_section + binary.LittleEndian.PutUint32( + data[offset_to_rsrc+16:], size_of_raw_data) + } + } + + appended, err := ioutil.ReadAll(*repack_command_append) + kingpin.FatalIfError(err, "Unable to read appended file") + + data = append(data, appended...) + } + match := embedded_re.FindIndex(data) if match == nil { kingpin.Fatalf("I can not seem to locate the embedding config????") diff --git a/config/ab0x.go b/config/ab0x.go index 749a5fe0c05..bddb6dea7fa 100644 --- a/config/ab0x.go +++ b/config/ab0x.go @@ -1,4 +1,4 @@ -// Code generated by fileb0x at "2019-10-25 18:05:12.078115385 +1000 AEST m=+0.004521939" from config file "b0x.yaml" DO NOT EDIT. +// Code generated by fileb0x at "2019-10-29 08:27:22.983389012 +1000 AEST m=+0.005913198" from config file "b0x.yaml" DO NOT EDIT. // modification hash(3184389c950c2d48b66a881c382b38ef.ea5b8bd20838e2674529c3f22d14d097) package config diff --git a/docs/rsrc_386.syso b/docs/rsrc_386.syso new file mode 100644 index 00000000000..f7a585fe16a Binary files /dev/null and b/docs/rsrc_386.syso differ diff --git a/docs/rsrc_amd64.syso b/docs/rsrc_amd64.syso new file mode 100644 index 00000000000..c4d96a86743 Binary files /dev/null and b/docs/rsrc_amd64.syso differ diff --git a/go.mod b/go.mod index 364bfbfdb6c..008d88a8e73 100644 --- a/go.mod +++ b/go.mod @@ -34,7 +34,6 @@ require ( github.com/fastly/go-utils v0.0.0-20180712184237-d95a45783239 // indirect github.com/go-ole/go-ole v1.2.4 github.com/go-sql-driver/mysql v1.4.1 // indirect - github.com/golang/groupcache v0.0.0-20191002201903-404acd9df4cc // indirect github.com/golang/mock v1.3.1 github.com/golang/protobuf v1.3.2 github.com/golangplus/bytes v0.0.0-20160111154220-45c989fe5450 // indirect @@ -82,7 +81,6 @@ require ( github.com/tink-ab/tempfile v0.0.0-20180226111222-33beb0518f1a github.com/xor-gate/ar v0.0.0-20170530204233-5c72ae81e2b7 // indirect github.com/xor-gate/debpkg v0.0.0-20181217150151-a0c70a3d4213 - go.opencensus.io v0.22.1 // indirect golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 golang.org/x/exp v0.0.0-20191014171548-69215a2ee97e // indirect golang.org/x/net v0.0.0-20191021144547-ec77196f6094 diff --git a/go.sum b/go.sum index fc10d8fe9ce..64eb3c581a0 100644 --- a/go.sum +++ b/go.sum @@ -55,6 +55,7 @@ github.com/Velocidex/survey v1.8.7-0.20190926071832-2ff99cc7aa49 h1:TJVN1zYl5sKJ github.com/Velocidex/survey v1.8.7-0.20190926071832-2ff99cc7aa49/go.mod h1:kfPUQ2gP0xtIydiR52dirNYt4OvCr+iZuepL4XaIk58= github.com/Velocidex/yaml v0.0.0-20190812045153-ad0acda9eea0 h1:rFd07P9lqQPsmgPVvS0crnGpq63eFyd7qQyyvLgBrMY= github.com/Velocidex/yaml v0.0.0-20190812045153-ad0acda9eea0/go.mod h1:LVK71wXgKJYbhcGaK+QDA6QM+yLgcO21ZihAoxAdMak= +github.com/akavel/rsrc v0.8.0 h1:zjWn7ukO9Kc5Q62DOJCcxGpXC18RawVtYAGdz2aLlfw= github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c= github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38 h1:smF2tmSOzy2Mm+0dGI2AIUHY+w0BUc+4tn40djz7+6U= github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38/go.mod h1:r7bzyVFMNntcxPZXK3/+KdruV1H5KSlyVY0gc+NgInI= @@ -139,9 +140,6 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/me github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20191002201903-404acd9df4cc h1:55rEp52jU6bkyslZ1+C/7NGfpQsEc6pxGLAGDOctqbw= -github.com/golang/groupcache v0.0.0-20191002201903-404acd9df4cc/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s= @@ -348,8 +346,6 @@ github.com/xor-gate/debpkg v0.0.0-20181217150151-a0c70a3d4213/go.mod h1:SoEebpbm go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0 h1:C9hSCOW830chIVkdja34wa6Ky+IzWllkUinR+BtRZd4= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.1 h1:8dP3SGL7MPB94crU3bEPplMPe83FI4EouesJUeFHv50= -go.opencensus.io v0.22.1/go.mod h1:Ap50jQcDJrx6rB6VgeeFPtuPIf3wMRvRfrfYDO6+BmA= golang.org/x/arch v0.0.0-20190927153633-4e8777c89be4 h1:QlVATYS7JBoZMVaf+cNjb90WD/beKVHnIxFKT4QaHVI= golang.org/x/arch v0.0.0-20190927153633-4e8777c89be4/go.mod h1:flIaEI6LNU6xOCD5PaJvn9wGP0agmIOqjrtsKGRguv4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= diff --git a/magefile.go b/magefile.go index 1fcdf265b6d..20a6f866c89 100644 --- a/magefile.go +++ b/magefile.go @@ -104,11 +104,38 @@ func (self *Builder) Env() map[string]string { return env } +// Make sure the correct version of the syso file is present. If we +// are building for non windows platforms we need to remove it +// completely. +func (self Builder) ensureSyso() error { + sh.Rm("bin/rsrc.syso") + + if self.goos == "windows" { + switch self.arch { + case "386": + err := sh.Copy("bin/rsrc.syso", "docs/rsrc_386.syso") + if err != nil { + return err + } + case "amd64": + err := sh.Copy("bin/rsrc.syso", "docs/rsrc_amd64.syso") + if err != nil { + return err + } + + } + } + + return nil +} + func (self Builder) Run() error { if err := os.Mkdir("output", 0700); err != nil && !os.IsExist(err) { return fmt.Errorf("failed to create output: %v", err) } + self.ensureSyso() + err := ensure_assets() if err != nil { return err diff --git a/third_party/zip/README.txt b/third_party/zip/README.txt new file mode 100644 index 00000000000..e23740de10d --- /dev/null +++ b/third_party/zip/README.txt @@ -0,0 +1,6 @@ +This is a fork on archive/zip from the standard library with a number +of bugfixes: + +* Support extra bytes before zip file (see issue https://github.com/golang/go/issues/10464) + +Includes patch by Phil Webb philwebb https://github.com/philwebb/go/commit/b1b65c2b4cd85f1a67c3c5c8cf40254030c7cab4 diff --git a/third_party/zip/reader.go b/third_party/zip/reader.go new file mode 100644 index 00000000000..27d4855d928 --- /dev/null +++ b/third_party/zip/reader.go @@ -0,0 +1,618 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package zip + +import ( + "bufio" + "encoding/binary" + "errors" + "fmt" + "hash" + "hash/crc32" + "io" + "os" + "time" +) + +var ( + ErrFormat = errors.New("zip: not a valid zip file") + ErrAlgorithm = errors.New("zip: unsupported compression algorithm") + ErrChecksum = errors.New("zip: checksum error") +) + +type Reader struct { + r io.ReaderAt + File []*File + Comment string + decompressors map[uint16]Decompressor +} + +type ReadCloser struct { + f *os.File + Reader +} + +type File struct { + FileHeader + zip *Reader + zipr io.ReaderAt + zipsize int64 + headerOffset int64 +} + +func (f *File) hasDataDescriptor() bool { + return f.Flags&0x8 != 0 +} + +// OpenReader will open the Zip file specified by name and return a ReadCloser. +func OpenReader(name string) (*ReadCloser, error) { + f, err := os.Open(name) + if err != nil { + return nil, err + } + fi, err := f.Stat() + if err != nil { + f.Close() + return nil, err + } + r := new(ReadCloser) + if err := r.init(f, fi.Size()); err != nil { + f.Close() + return nil, err + } + r.f = f + return r, nil +} + +// NewReader returns a new Reader reading from r, which is assumed to +// have the given size in bytes. +func NewReader(r io.ReaderAt, size int64) (*Reader, error) { + if size < 0 { + return nil, errors.New("zip: size cannot be negative") + } + zr := new(Reader) + if err := zr.init(r, size); err != nil { + return nil, err + } + return zr, nil +} + +func (z *Reader) init(r io.ReaderAt, size int64) error { + end, startOfArchive, err := readDirectoryEnd(r, size) + if err != nil { + return err + } + if end.directoryRecords > uint64(size)/fileHeaderLen { + return fmt.Errorf("archive/zip: TOC declares impossible %d files in %d byte zip", end.directoryRecords, size) + } + z.r = r + z.File = make([]*File, 0, end.directoryRecords) + z.Comment = end.comment + rs := io.NewSectionReader(r, 0, size) + if _, err = rs.Seek(int64(end.directoryOffset+startOfArchive), io.SeekStart); err != nil { + return err + } + buf := bufio.NewReader(rs) + + // The count of files inside a zip is truncated to fit in a uint16. + // Gloss over this by reading headers until we encounter + // a bad one, and then only report an ErrFormat or UnexpectedEOF if + // the file count modulo 65536 is incorrect. + for { + f := &File{zip: z, zipr: r, zipsize: size} + err = readDirectoryHeader(f, buf, int64(startOfArchive)) + if err == ErrFormat || err == io.ErrUnexpectedEOF { + break + } + if err != nil { + return err + } + z.File = append(z.File, f) + } + if uint16(len(z.File)) != uint16(end.directoryRecords) { // only compare 16 bits here + // Return the readDirectoryHeader error if we read + // the wrong number of directory entries. + return err + } + return nil +} + +// RegisterDecompressor registers or overrides a custom decompressor for a +// specific method ID. If a decompressor for a given method is not found, +// Reader will default to looking up the decompressor at the package level. +func (z *Reader) RegisterDecompressor(method uint16, dcomp Decompressor) { + if z.decompressors == nil { + z.decompressors = make(map[uint16]Decompressor) + } + z.decompressors[method] = dcomp +} + +func (z *Reader) decompressor(method uint16) Decompressor { + dcomp := z.decompressors[method] + if dcomp == nil { + dcomp = decompressor(method) + } + return dcomp +} + +// Close closes the Zip file, rendering it unusable for I/O. +func (rc *ReadCloser) Close() error { + return rc.f.Close() +} + +// DataOffset returns the offset of the file's possibly-compressed +// data, relative to the beginning of the zip file. +// +// Most callers should instead use Open, which transparently +// decompresses data and verifies checksums. +func (f *File) DataOffset() (offset int64, err error) { + bodyOffset, err := f.findBodyOffset() + if err != nil { + return + } + return f.headerOffset + bodyOffset, nil +} + +// Open returns a ReadCloser that provides access to the File's contents. +// Multiple files may be read concurrently. +func (f *File) Open() (io.ReadCloser, error) { + bodyOffset, err := f.findBodyOffset() + if err != nil { + return nil, err + } + size := int64(f.CompressedSize64) + r := io.NewSectionReader(f.zipr, f.headerOffset+bodyOffset, size) + dcomp := f.zip.decompressor(f.Method) + if dcomp == nil { + return nil, ErrAlgorithm + } + var rc io.ReadCloser = dcomp(r) + var desr io.Reader + if f.hasDataDescriptor() { + desr = io.NewSectionReader(f.zipr, f.headerOffset+bodyOffset+size, dataDescriptorLen) + } + rc = &checksumReader{ + rc: rc, + hash: crc32.NewIEEE(), + f: f, + desr: desr, + } + return rc, nil +} + +type checksumReader struct { + rc io.ReadCloser + hash hash.Hash32 + nread uint64 // number of bytes read so far + f *File + desr io.Reader // if non-nil, where to read the data descriptor + err error // sticky error +} + +func (r *checksumReader) Read(b []byte) (n int, err error) { + if r.err != nil { + return 0, r.err + } + n, err = r.rc.Read(b) + r.hash.Write(b[:n]) + r.nread += uint64(n) + if err == nil { + return + } + if err == io.EOF { + if r.nread != r.f.UncompressedSize64 { + return 0, io.ErrUnexpectedEOF + } + if r.desr != nil { + if err1 := readDataDescriptor(r.desr, r.f); err1 != nil { + if err1 == io.EOF { + err = io.ErrUnexpectedEOF + } else { + err = err1 + } + } else if r.hash.Sum32() != r.f.CRC32 { + err = ErrChecksum + } + } else { + // If there's not a data descriptor, we still compare + // the CRC32 of what we've read against the file header + // or TOC's CRC32, if it seems like it was set. + if r.f.CRC32 != 0 && r.hash.Sum32() != r.f.CRC32 { + err = ErrChecksum + } + } + } + r.err = err + return +} + +func (r *checksumReader) Close() error { return r.rc.Close() } + +// findBodyOffset does the minimum work to verify the file has a header +// and returns the file body offset. +func (f *File) findBodyOffset() (int64, error) { + var buf [fileHeaderLen]byte + if _, err := f.zipr.ReadAt(buf[:], f.headerOffset); err != nil { + return 0, err + } + b := readBuf(buf[:]) + if sig := b.uint32(); sig != fileHeaderSignature { + return 0, ErrFormat + } + b = b[22:] // skip over most of the header + filenameLen := int(b.uint16()) + extraLen := int(b.uint16()) + return int64(fileHeaderLen + filenameLen + extraLen), nil +} + +// readDirectoryHeader attempts to read a directory header from r. +// It returns io.ErrUnexpectedEOF if it cannot read a complete header, +// and ErrFormat if it doesn't find a valid header signature. +func readDirectoryHeader(f *File, r io.Reader, startOfArchive int64) error { + var buf [directoryHeaderLen]byte + if _, err := io.ReadFull(r, buf[:]); err != nil { + return err + } + b := readBuf(buf[:]) + if sig := b.uint32(); sig != directoryHeaderSignature { + return ErrFormat + } + f.CreatorVersion = b.uint16() + f.ReaderVersion = b.uint16() + f.Flags = b.uint16() + f.Method = b.uint16() + f.ModifiedTime = b.uint16() + f.ModifiedDate = b.uint16() + f.CRC32 = b.uint32() + f.CompressedSize = b.uint32() + f.UncompressedSize = b.uint32() + f.CompressedSize64 = uint64(f.CompressedSize) + f.UncompressedSize64 = uint64(f.UncompressedSize) + filenameLen := int(b.uint16()) + extraLen := int(b.uint16()) + commentLen := int(b.uint16()) + b = b[4:] // skipped start disk number and internal attributes (2x uint16) + f.ExternalAttrs = b.uint32() + f.headerOffset = int64(b.uint32()) + startOfArchive + d := make([]byte, filenameLen+extraLen+commentLen) + if _, err := io.ReadFull(r, d); err != nil { + return err + } + f.Name = string(d[:filenameLen]) + f.Extra = d[filenameLen : filenameLen+extraLen] + f.Comment = string(d[filenameLen+extraLen:]) + + // Determine the character encoding. + utf8Valid1, utf8Require1 := detectUTF8(f.Name) + utf8Valid2, utf8Require2 := detectUTF8(f.Comment) + switch { + case !utf8Valid1 || !utf8Valid2: + // Name and Comment definitely not UTF-8. + f.NonUTF8 = true + case !utf8Require1 && !utf8Require2: + // Name and Comment use only single-byte runes that overlap with UTF-8. + f.NonUTF8 = false + default: + // Might be UTF-8, might be some other encoding; preserve existing flag. + // Some ZIP writers use UTF-8 encoding without setting the UTF-8 flag. + // Since it is impossible to always distinguish valid UTF-8 from some + // other encoding (e.g., GBK or Shift-JIS), we trust the flag. + f.NonUTF8 = f.Flags&0x800 == 0 + } + + needUSize := f.UncompressedSize == ^uint32(0) + needCSize := f.CompressedSize == ^uint32(0) + needHeaderOffset := f.headerOffset == int64(^uint32(0)) + + // Best effort to find what we need. + // Other zip authors might not even follow the basic format, + // and we'll just ignore the Extra content in that case. + var modified time.Time +parseExtras: + for extra := readBuf(f.Extra); len(extra) >= 4; { // need at least tag and size + fieldTag := extra.uint16() + fieldSize := int(extra.uint16()) + if len(extra) < fieldSize { + break + } + fieldBuf := extra.sub(fieldSize) + + switch fieldTag { + case zip64ExtraID: + // update directory values from the zip64 extra block. + // They should only be consulted if the sizes read earlier + // are maxed out. + // See golang.org/issue/13367. + if needUSize { + needUSize = false + if len(fieldBuf) < 8 { + return ErrFormat + } + f.UncompressedSize64 = fieldBuf.uint64() + } + if needCSize { + needCSize = false + if len(fieldBuf) < 8 { + return ErrFormat + } + f.CompressedSize64 = fieldBuf.uint64() + } + if needHeaderOffset { + needHeaderOffset = false + if len(fieldBuf) < 8 { + return ErrFormat + } + f.headerOffset = int64(fieldBuf.uint64()) + } + case ntfsExtraID: + if len(fieldBuf) < 4 { + continue parseExtras + } + fieldBuf.uint32() // reserved (ignored) + for len(fieldBuf) >= 4 { // need at least tag and size + attrTag := fieldBuf.uint16() + attrSize := int(fieldBuf.uint16()) + if len(fieldBuf) < attrSize { + continue parseExtras + } + attrBuf := fieldBuf.sub(attrSize) + if attrTag != 1 || attrSize != 24 { + continue // Ignore irrelevant attributes + } + + const ticksPerSecond = 1e7 // Windows timestamp resolution + ts := int64(attrBuf.uint64()) // ModTime since Windows epoch + secs := int64(ts / ticksPerSecond) + nsecs := (1e9 / ticksPerSecond) * int64(ts%ticksPerSecond) + epoch := time.Date(1601, time.January, 1, 0, 0, 0, 0, time.UTC) + modified = time.Unix(epoch.Unix()+secs, nsecs) + } + case unixExtraID, infoZipUnixExtraID: + if len(fieldBuf) < 8 { + continue parseExtras + } + fieldBuf.uint32() // AcTime (ignored) + ts := int64(fieldBuf.uint32()) // ModTime since Unix epoch + modified = time.Unix(ts, 0) + case extTimeExtraID: + if len(fieldBuf) < 5 || fieldBuf.uint8()&1 == 0 { + continue parseExtras + } + ts := int64(fieldBuf.uint32()) // ModTime since Unix epoch + modified = time.Unix(ts, 0) + } + } + + msdosModified := msDosTimeToTime(f.ModifiedDate, f.ModifiedTime) + f.Modified = msdosModified + if !modified.IsZero() { + f.Modified = modified.UTC() + + // If legacy MS-DOS timestamps are set, we can use the delta between + // the legacy and extended versions to estimate timezone offset. + // + // A non-UTC timezone is always used (even if offset is zero). + // Thus, FileHeader.Modified.Location() == time.UTC is useful for + // determining whether extended timestamps are present. + // This is necessary for users that need to do additional time + // calculations when dealing with legacy ZIP formats. + if f.ModifiedTime != 0 || f.ModifiedDate != 0 { + f.Modified = modified.In(timeZone(msdosModified.Sub(modified))) + } + } + + // Assume that uncompressed size 2³²-1 could plausibly happen in + // an old zip32 file that was sharding inputs into the largest chunks + // possible (or is just malicious; search the web for 42.zip). + // If needUSize is true still, it means we didn't see a zip64 extension. + // As long as the compressed size is not also 2³²-1 (implausible) + // and the header is not also 2³²-1 (equally implausible), + // accept the uncompressed size 2³²-1 as valid. + // If nothing else, this keeps archive/zip working with 42.zip. + _ = needUSize + + if needCSize || needHeaderOffset { + return ErrFormat + } + + return nil +} + +func readDataDescriptor(r io.Reader, f *File) error { + var buf [dataDescriptorLen]byte + + // The spec says: "Although not originally assigned a + // signature, the value 0x08074b50 has commonly been adopted + // as a signature value for the data descriptor record. + // Implementers should be aware that ZIP files may be + // encountered with or without this signature marking data + // descriptors and should account for either case when reading + // ZIP files to ensure compatibility." + // + // dataDescriptorLen includes the size of the signature but + // first read just those 4 bytes to see if it exists. + if _, err := io.ReadFull(r, buf[:4]); err != nil { + return err + } + off := 0 + maybeSig := readBuf(buf[:4]) + if maybeSig.uint32() != dataDescriptorSignature { + // No data descriptor signature. Keep these four + // bytes. + off += 4 + } + if _, err := io.ReadFull(r, buf[off:12]); err != nil { + return err + } + b := readBuf(buf[:12]) + if b.uint32() != f.CRC32 { + return ErrChecksum + } + + // The two sizes that follow here can be either 32 bits or 64 bits + // but the spec is not very clear on this and different + // interpretations has been made causing incompatibilities. We + // already have the sizes from the central directory so we can + // just ignore these. + + return nil +} + +func readDirectoryEnd(r io.ReaderAt, size int64) ( + dir *directoryEnd, startOfArchive uint64, err error) { + // look for directoryEndSignature in the last 1k, then in the last 65k + var buf []byte + var directoryEndOffset int64 + for i, bLen := range []int64{1024, 65 * 1024} { + if bLen > size { + bLen = size + } + buf = make([]byte, int(bLen)) + if _, err := r.ReadAt(buf, size-bLen); err != nil && err != io.EOF { + return nil, 0, err + } + if p := findSignatureInBlock(buf); p >= 0 { + buf = buf[p:] + directoryEndOffset = size - bLen + int64(p) + break + } + if i == 1 || bLen == size { + return nil, 0, ErrFormat + } + } + + // read header into struct + b := readBuf(buf[4:]) // skip signature + d := &directoryEnd{ + diskNbr: uint32(b.uint16()), + dirDiskNbr: uint32(b.uint16()), + dirRecordsThisDisk: uint64(b.uint16()), + directoryRecords: uint64(b.uint16()), + directorySize: uint64(b.uint32()), + directoryOffset: uint64(b.uint32()), + commentLen: b.uint16(), + } + l := int(d.commentLen) + if l > len(b) { + return nil, 0, errors.New("zip: invalid comment length") + } + d.comment = string(b[:l]) + + // Calculate where the zip data actually begins + startOfArchive = uint64(directoryEndOffset) - d.directorySize - d.directoryOffset + + // These values mean that the file can be a zip64 file + if d.directoryRecords == 0xffff || d.directorySize == 0xffff || d.directoryOffset == 0xffffffff { + p, err := findDirectory64End(r, directoryEndOffset) + if err == nil && p >= 0 { + startOfArchive = 0 // Prefixed data not supported + err = readDirectory64End(r, p, d) + } + if err != nil { + return nil, 0, err + } + } + // Make sure directoryOffset points to somewhere in our file. + if o := int64(d.directoryOffset); o < 0 || o >= size { + return nil, 0, ErrFormat + } + return d, startOfArchive, nil +} + +// findDirectory64End tries to read the zip64 locator just before the +// directory end and returns the offset of the zip64 directory end if +// found. +func findDirectory64End(r io.ReaderAt, directoryEndOffset int64) (int64, error) { + locOffset := directoryEndOffset - directory64LocLen + if locOffset < 0 { + return -1, nil // no need to look for a header outside the file + } + buf := make([]byte, directory64LocLen) + if _, err := r.ReadAt(buf, locOffset); err != nil { + return -1, err + } + b := readBuf(buf) + if sig := b.uint32(); sig != directory64LocSignature { + return -1, nil + } + if b.uint32() != 0 { // number of the disk with the start of the zip64 end of central directory + return -1, nil // the file is not a valid zip64-file + } + p := b.uint64() // relative offset of the zip64 end of central directory record + if b.uint32() != 1 { // total number of disks + return -1, nil // the file is not a valid zip64-file + } + return int64(p), nil +} + +// readDirectory64End reads the zip64 directory end and updates the +// directory end with the zip64 directory end values. +func readDirectory64End(r io.ReaderAt, offset int64, d *directoryEnd) (err error) { + buf := make([]byte, directory64EndLen) + if _, err := r.ReadAt(buf, offset); err != nil { + return err + } + + b := readBuf(buf) + if sig := b.uint32(); sig != directory64EndSignature { + return ErrFormat + } + + b = b[12:] // skip dir size, version and version needed (uint64 + 2x uint16) + d.diskNbr = b.uint32() // number of this disk + d.dirDiskNbr = b.uint32() // number of the disk with the start of the central directory + d.dirRecordsThisDisk = b.uint64() // total number of entries in the central directory on this disk + d.directoryRecords = b.uint64() // total number of entries in the central directory + d.directorySize = b.uint64() // size of the central directory + d.directoryOffset = b.uint64() // offset of start of central directory with respect to the starting disk number + + return nil +} + +func findSignatureInBlock(b []byte) int { + for i := len(b) - directoryEndLen; i >= 0; i-- { + // defined from directoryEndSignature in struct.go + if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 { + // n is length of comment + n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8 + if n+directoryEndLen+i <= len(b) { + return i + } + } + } + return -1 +} + +type readBuf []byte + +func (b *readBuf) uint8() uint8 { + v := (*b)[0] + *b = (*b)[1:] + return v +} + +func (b *readBuf) uint16() uint16 { + v := binary.LittleEndian.Uint16(*b) + *b = (*b)[2:] + return v +} + +func (b *readBuf) uint32() uint32 { + v := binary.LittleEndian.Uint32(*b) + *b = (*b)[4:] + return v +} + +func (b *readBuf) uint64() uint64 { + v := binary.LittleEndian.Uint64(*b) + *b = (*b)[8:] + return v +} + +func (b *readBuf) sub(n int) readBuf { + b2 := (*b)[:n] + *b = (*b)[n:] + return b2 +} diff --git a/third_party/zip/register.go b/third_party/zip/register.go new file mode 100644 index 00000000000..51e9c3e4d4b --- /dev/null +++ b/third_party/zip/register.go @@ -0,0 +1,148 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package zip + +import ( + "compress/flate" + "errors" + "io" + "io/ioutil" + "sync" +) + +// A Compressor returns a new compressing writer, writing to w. +// The WriteCloser's Close method must be used to flush pending data to w. +// The Compressor itself must be safe to invoke from multiple goroutines +// simultaneously, but each returned writer will be used only by +// one goroutine at a time. +type Compressor func(w io.Writer) (io.WriteCloser, error) + +// A Decompressor returns a new decompressing reader, reading from r. +// The ReadCloser's Close method must be used to release associated resources. +// The Decompressor itself must be safe to invoke from multiple goroutines +// simultaneously, but each returned reader will be used only by +// one goroutine at a time. +type Decompressor func(r io.Reader) io.ReadCloser + +var flateWriterPool sync.Pool + +func newFlateWriter(w io.Writer) io.WriteCloser { + fw, ok := flateWriterPool.Get().(*flate.Writer) + if ok { + fw.Reset(w) + } else { + fw, _ = flate.NewWriter(w, 5) + } + return &pooledFlateWriter{fw: fw} +} + +type pooledFlateWriter struct { + mu sync.Mutex // guards Close and Write + fw *flate.Writer +} + +func (w *pooledFlateWriter) Write(p []byte) (n int, err error) { + w.mu.Lock() + defer w.mu.Unlock() + if w.fw == nil { + return 0, errors.New("Write after Close") + } + return w.fw.Write(p) +} + +func (w *pooledFlateWriter) Close() error { + w.mu.Lock() + defer w.mu.Unlock() + var err error + if w.fw != nil { + err = w.fw.Close() + flateWriterPool.Put(w.fw) + w.fw = nil + } + return err +} + +var flateReaderPool sync.Pool + +func newFlateReader(r io.Reader) io.ReadCloser { + fr, ok := flateReaderPool.Get().(io.ReadCloser) + if ok { + fr.(flate.Resetter).Reset(r, nil) + } else { + fr = flate.NewReader(r) + } + return &pooledFlateReader{fr: fr} +} + +type pooledFlateReader struct { + mu sync.Mutex // guards Close and Read + fr io.ReadCloser +} + +func (r *pooledFlateReader) Read(p []byte) (n int, err error) { + r.mu.Lock() + defer r.mu.Unlock() + if r.fr == nil { + return 0, errors.New("Read after Close") + } + return r.fr.Read(p) +} + +func (r *pooledFlateReader) Close() error { + r.mu.Lock() + defer r.mu.Unlock() + var err error + if r.fr != nil { + err = r.fr.Close() + flateReaderPool.Put(r.fr) + r.fr = nil + } + return err +} + +var ( + compressors sync.Map // map[uint16]Compressor + decompressors sync.Map // map[uint16]Decompressor +) + +func init() { + compressors.Store(Store, Compressor(func(w io.Writer) (io.WriteCloser, error) { return &nopCloser{w}, nil })) + compressors.Store(Deflate, Compressor(func(w io.Writer) (io.WriteCloser, error) { return newFlateWriter(w), nil })) + + decompressors.Store(Store, Decompressor(ioutil.NopCloser)) + decompressors.Store(Deflate, Decompressor(newFlateReader)) +} + +// RegisterDecompressor allows custom decompressors for a specified method ID. +// The common methods Store and Deflate are built in. +func RegisterDecompressor(method uint16, dcomp Decompressor) { + if _, dup := decompressors.LoadOrStore(method, dcomp); dup { + panic("decompressor already registered") + } +} + +// RegisterCompressor registers custom compressors for a specified method ID. +// The common methods Store and Deflate are built in. +func RegisterCompressor(method uint16, comp Compressor) { + if _, dup := compressors.LoadOrStore(method, comp); dup { + panic("compressor already registered") + } +} + +func compressor(method uint16) Compressor { + ci, ok := compressors.Load(method) + if !ok { + return nil + } + return ci.(Compressor) +} + +func decompressor(method uint16) Decompressor { + di, ok := decompressors.Load(method) + if !ok { + return nil + } + return di.(Decompressor) +} diff --git a/third_party/zip/struct.go b/third_party/zip/struct.go new file mode 100644 index 00000000000..bd637d185b7 --- /dev/null +++ b/third_party/zip/struct.go @@ -0,0 +1,382 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +/* +Package zip provides support for reading and writing ZIP archives. + +See: https://www.pkware.com/appnote + +This package does not support disk spanning. + +A note about ZIP64: + +To be backwards compatible the FileHeader has both 32 and 64 bit Size +fields. The 64 bit fields will always contain the correct value and +for normal archives both fields will be the same. For files requiring +the ZIP64 format the 32 bit fields will be 0xffffffff and the 64 bit +fields must be used instead. +*/ +package zip + +import ( + "os" + "path" + "time" +) + +// Compression methods. +const ( + Store uint16 = 0 // no compression + Deflate uint16 = 8 // DEFLATE compressed +) + +const ( + fileHeaderSignature = 0x04034b50 + directoryHeaderSignature = 0x02014b50 + directoryEndSignature = 0x06054b50 + directory64LocSignature = 0x07064b50 + directory64EndSignature = 0x06064b50 + dataDescriptorSignature = 0x08074b50 // de-facto standard; required by OS X Finder + fileHeaderLen = 30 // + filename + extra + directoryHeaderLen = 46 // + filename + extra + comment + directoryEndLen = 22 // + comment + dataDescriptorLen = 16 // four uint32: descriptor signature, crc32, compressed size, size + dataDescriptor64Len = 24 // descriptor with 8 byte sizes + directory64LocLen = 20 // + directory64EndLen = 56 // + extra + + // Constants for the first byte in CreatorVersion. + creatorFAT = 0 + creatorUnix = 3 + creatorNTFS = 11 + creatorVFAT = 14 + creatorMacOSX = 19 + + // Version numbers. + zipVersion20 = 20 // 2.0 + zipVersion45 = 45 // 4.5 (reads and writes zip64 archives) + + // Limits for non zip64 files. + uint16max = (1 << 16) - 1 + uint32max = (1 << 32) - 1 + + // Extra header IDs. + // + // IDs 0..31 are reserved for official use by PKWARE. + // IDs above that range are defined by third-party vendors. + // Since ZIP lacked high precision timestamps (nor a official specification + // of the timezone used for the date fields), many competing extra fields + // have been invented. Pervasive use effectively makes them "official". + // + // See http://mdfs.net/Docs/Comp/Archiving/Zip/ExtraField + zip64ExtraID = 0x0001 // Zip64 extended information + ntfsExtraID = 0x000a // NTFS + unixExtraID = 0x000d // UNIX + extTimeExtraID = 0x5455 // Extended timestamp + infoZipUnixExtraID = 0x5855 // Info-ZIP Unix extension +) + +// FileHeader describes a file within a zip file. +// See the zip spec for details. +type FileHeader struct { + // Name is the name of the file. + // + // It must be a relative path, not start with a drive letter (such as "C:"), + // and must use forward slashes instead of back slashes. A trailing slash + // indicates that this file is a directory and should have no data. + // + // When reading zip files, the Name field is populated from + // the zip file directly and is not validated for correctness. + // It is the caller's responsibility to sanitize it as + // appropriate, including canonicalizing slash directions, + // validating that paths are relative, and preventing path + // traversal through filenames ("../../../"). + Name string + + // Comment is any arbitrary user-defined string shorter than 64KiB. + Comment string + + // NonUTF8 indicates that Name and Comment are not encoded in UTF-8. + // + // By specification, the only other encoding permitted should be CP-437, + // but historically many ZIP readers interpret Name and Comment as whatever + // the system's local character encoding happens to be. + // + // This flag should only be set if the user intends to encode a non-portable + // ZIP file for a specific localized region. Otherwise, the Writer + // automatically sets the ZIP format's UTF-8 flag for valid UTF-8 strings. + NonUTF8 bool + + CreatorVersion uint16 + ReaderVersion uint16 + Flags uint16 + + // Method is the compression method. If zero, Store is used. + Method uint16 + + // Modified is the modified time of the file. + // + // When reading, an extended timestamp is preferred over the legacy MS-DOS + // date field, and the offset between the times is used as the timezone. + // If only the MS-DOS date is present, the timezone is assumed to be UTC. + // + // When writing, an extended timestamp (which is timezone-agnostic) is + // always emitted. The legacy MS-DOS date field is encoded according to the + // location of the Modified time. + Modified time.Time + ModifiedTime uint16 // Deprecated: Legacy MS-DOS date; use Modified instead. + ModifiedDate uint16 // Deprecated: Legacy MS-DOS time; use Modified instead. + + CRC32 uint32 + CompressedSize uint32 // Deprecated: Use CompressedSize64 instead. + UncompressedSize uint32 // Deprecated: Use UncompressedSize64 instead. + CompressedSize64 uint64 + UncompressedSize64 uint64 + Extra []byte + ExternalAttrs uint32 // Meaning depends on CreatorVersion +} + +// FileInfo returns an os.FileInfo for the FileHeader. +func (h *FileHeader) FileInfo() os.FileInfo { + return headerFileInfo{h} +} + +// headerFileInfo implements os.FileInfo. +type headerFileInfo struct { + fh *FileHeader +} + +func (fi headerFileInfo) Name() string { return path.Base(fi.fh.Name) } +func (fi headerFileInfo) Size() int64 { + if fi.fh.UncompressedSize64 > 0 { + return int64(fi.fh.UncompressedSize64) + } + return int64(fi.fh.UncompressedSize) +} +func (fi headerFileInfo) IsDir() bool { return fi.Mode().IsDir() } +func (fi headerFileInfo) ModTime() time.Time { return fi.fh.ModTime() } +func (fi headerFileInfo) Mode() os.FileMode { return fi.fh.Mode() } +func (fi headerFileInfo) Sys() interface{} { return fi.fh } + +// FileInfoHeader creates a partially-populated FileHeader from an +// os.FileInfo. +// Because os.FileInfo's Name method returns only the base name of +// the file it describes, it may be necessary to modify the Name field +// of the returned header to provide the full path name of the file. +// If compression is desired, callers should set the FileHeader.Method +// field; it is unset by default. +func FileInfoHeader(fi os.FileInfo) (*FileHeader, error) { + size := fi.Size() + fh := &FileHeader{ + Name: fi.Name(), + UncompressedSize64: uint64(size), + } + fh.SetModTime(fi.ModTime()) + fh.SetMode(fi.Mode()) + if fh.UncompressedSize64 > uint32max { + fh.UncompressedSize = uint32max + } else { + fh.UncompressedSize = uint32(fh.UncompressedSize64) + } + return fh, nil +} + +type directoryEnd struct { + diskNbr uint32 // unused + dirDiskNbr uint32 // unused + dirRecordsThisDisk uint64 // unused + directoryRecords uint64 + directorySize uint64 + directoryOffset uint64 // relative to file + commentLen uint16 + comment string +} + +// timeZone returns a *time.Location based on the provided offset. +// If the offset is non-sensible, then this uses an offset of zero. +func timeZone(offset time.Duration) *time.Location { + const ( + minOffset = -12 * time.Hour // E.g., Baker island at -12:00 + maxOffset = +14 * time.Hour // E.g., Line island at +14:00 + offsetAlias = 15 * time.Minute // E.g., Nepal at +5:45 + ) + offset = offset.Round(offsetAlias) + if offset < minOffset || maxOffset < offset { + offset = 0 + } + return time.FixedZone("", int(offset/time.Second)) +} + +// msDosTimeToTime converts an MS-DOS date and time into a time.Time. +// The resolution is 2s. +// See: https://msdn.microsoft.com/en-us/library/ms724247(v=VS.85).aspx +func msDosTimeToTime(dosDate, dosTime uint16) time.Time { + return time.Date( + // date bits 0-4: day of month; 5-8: month; 9-15: years since 1980 + int(dosDate>>9+1980), + time.Month(dosDate>>5&0xf), + int(dosDate&0x1f), + + // time bits 0-4: second/2; 5-10: minute; 11-15: hour + int(dosTime>>11), + int(dosTime>>5&0x3f), + int(dosTime&0x1f*2), + 0, // nanoseconds + + time.UTC, + ) +} + +// timeToMsDosTime converts a time.Time to an MS-DOS date and time. +// The resolution is 2s. +// See: https://msdn.microsoft.com/en-us/library/ms724274(v=VS.85).aspx +func timeToMsDosTime(t time.Time) (fDate uint16, fTime uint16) { + fDate = uint16(t.Day() + int(t.Month())<<5 + (t.Year()-1980)<<9) + fTime = uint16(t.Second()/2 + t.Minute()<<5 + t.Hour()<<11) + return +} + +// ModTime returns the modification time in UTC using the legacy +// ModifiedDate and ModifiedTime fields. +// +// Deprecated: Use Modified instead. +func (h *FileHeader) ModTime() time.Time { + return msDosTimeToTime(h.ModifiedDate, h.ModifiedTime) +} + +// SetModTime sets the Modified, ModifiedTime, and ModifiedDate fields +// to the given time in UTC. +// +// Deprecated: Use Modified instead. +func (h *FileHeader) SetModTime(t time.Time) { + t = t.UTC() // Convert to UTC for compatibility + h.Modified = t + h.ModifiedDate, h.ModifiedTime = timeToMsDosTime(t) +} + +const ( + // Unix constants. The specification doesn't mention them, + // but these seem to be the values agreed on by tools. + s_IFMT = 0xf000 + s_IFSOCK = 0xc000 + s_IFLNK = 0xa000 + s_IFREG = 0x8000 + s_IFBLK = 0x6000 + s_IFDIR = 0x4000 + s_IFCHR = 0x2000 + s_IFIFO = 0x1000 + s_ISUID = 0x800 + s_ISGID = 0x400 + s_ISVTX = 0x200 + + msdosDir = 0x10 + msdosReadOnly = 0x01 +) + +// Mode returns the permission and mode bits for the FileHeader. +func (h *FileHeader) Mode() (mode os.FileMode) { + switch h.CreatorVersion >> 8 { + case creatorUnix, creatorMacOSX: + mode = unixModeToFileMode(h.ExternalAttrs >> 16) + case creatorNTFS, creatorVFAT, creatorFAT: + mode = msdosModeToFileMode(h.ExternalAttrs) + } + if len(h.Name) > 0 && h.Name[len(h.Name)-1] == '/' { + mode |= os.ModeDir + } + return mode +} + +// SetMode changes the permission and mode bits for the FileHeader. +func (h *FileHeader) SetMode(mode os.FileMode) { + h.CreatorVersion = h.CreatorVersion&0xff | creatorUnix<<8 + h.ExternalAttrs = fileModeToUnixMode(mode) << 16 + + // set MSDOS attributes too, as the original zip does. + if mode&os.ModeDir != 0 { + h.ExternalAttrs |= msdosDir + } + if mode&0200 == 0 { + h.ExternalAttrs |= msdosReadOnly + } +} + +// isZip64 reports whether the file size exceeds the 32 bit limit +func (h *FileHeader) isZip64() bool { + return h.CompressedSize64 >= uint32max || h.UncompressedSize64 >= uint32max +} + +func msdosModeToFileMode(m uint32) (mode os.FileMode) { + if m&msdosDir != 0 { + mode = os.ModeDir | 0777 + } else { + mode = 0666 + } + if m&msdosReadOnly != 0 { + mode &^= 0222 + } + return mode +} + +func fileModeToUnixMode(mode os.FileMode) uint32 { + var m uint32 + switch mode & os.ModeType { + default: + m = s_IFREG + case os.ModeDir: + m = s_IFDIR + case os.ModeSymlink: + m = s_IFLNK + case os.ModeNamedPipe: + m = s_IFIFO + case os.ModeSocket: + m = s_IFSOCK + case os.ModeDevice: + if mode&os.ModeCharDevice != 0 { + m = s_IFCHR + } else { + m = s_IFBLK + } + } + if mode&os.ModeSetuid != 0 { + m |= s_ISUID + } + if mode&os.ModeSetgid != 0 { + m |= s_ISGID + } + if mode&os.ModeSticky != 0 { + m |= s_ISVTX + } + return m | uint32(mode&0777) +} + +func unixModeToFileMode(m uint32) os.FileMode { + mode := os.FileMode(m & 0777) + switch m & s_IFMT { + case s_IFBLK: + mode |= os.ModeDevice + case s_IFCHR: + mode |= os.ModeDevice | os.ModeCharDevice + case s_IFDIR: + mode |= os.ModeDir + case s_IFIFO: + mode |= os.ModeNamedPipe + case s_IFLNK: + mode |= os.ModeSymlink + case s_IFREG: + // nothing to do + case s_IFSOCK: + mode |= os.ModeSocket + } + if m&s_ISGID != 0 { + mode |= os.ModeSetgid + } + if m&s_ISUID != 0 { + mode |= os.ModeSetuid + } + if m&s_ISVTX != 0 { + mode |= os.ModeSticky + } + return mode +} diff --git a/third_party/zip/writer.go b/third_party/zip/writer.go new file mode 100644 index 00000000000..cdc534eaf01 --- /dev/null +++ b/third_party/zip/writer.go @@ -0,0 +1,541 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package zip + +import ( + "bufio" + "encoding/binary" + "errors" + "hash" + "hash/crc32" + "io" + "strings" + "unicode/utf8" +) + +var ( + errLongName = errors.New("zip: FileHeader.Name too long") + errLongExtra = errors.New("zip: FileHeader.Extra too long") +) + +// Writer implements a zip file writer. +type Writer struct { + cw *countWriter + dir []*header + last *fileWriter + closed bool + compressors map[uint16]Compressor + comment string + + // testHookCloseSizeOffset if non-nil is called with the size + // of offset of the central directory at Close. + testHookCloseSizeOffset func(size, offset uint64) +} + +type header struct { + *FileHeader + offset uint64 +} + +// NewWriter returns a new Writer writing a zip file to w. +func NewWriter(w io.Writer) *Writer { + return &Writer{cw: &countWriter{w: bufio.NewWriter(w)}} +} + +// SetOffset sets the offset of the beginning of the zip data within the +// underlying writer. It should be used when the zip data is appended to an +// existing file, such as a binary executable. +// It must be called before any data is written. +func (w *Writer) SetOffset(n int64) { + if w.cw.count != 0 { + panic("zip: SetOffset called after data was written") + } + w.cw.count = n +} + +// Flush flushes any buffered data to the underlying writer. +// Calling Flush is not normally necessary; calling Close is sufficient. +func (w *Writer) Flush() error { + return w.cw.w.(*bufio.Writer).Flush() +} + +// SetComment sets the end-of-central-directory comment field. +// It can only be called before Close. +func (w *Writer) SetComment(comment string) error { + if len(comment) > uint16max { + return errors.New("zip: Writer.Comment too long") + } + w.comment = comment + return nil +} + +// Close finishes writing the zip file by writing the central directory. +// It does not close the underlying writer. +func (w *Writer) Close() error { + if w.last != nil && !w.last.closed { + if err := w.last.close(); err != nil { + return err + } + w.last = nil + } + if w.closed { + return errors.New("zip: writer closed twice") + } + w.closed = true + + // write central directory + start := w.cw.count + for _, h := range w.dir { + var buf [directoryHeaderLen]byte + b := writeBuf(buf[:]) + b.uint32(uint32(directoryHeaderSignature)) + b.uint16(h.CreatorVersion) + b.uint16(h.ReaderVersion) + b.uint16(h.Flags) + b.uint16(h.Method) + b.uint16(h.ModifiedTime) + b.uint16(h.ModifiedDate) + b.uint32(h.CRC32) + if h.isZip64() || h.offset >= uint32max { + // the file needs a zip64 header. store maxint in both + // 32 bit size fields (and offset later) to signal that the + // zip64 extra header should be used. + b.uint32(uint32max) // compressed size + b.uint32(uint32max) // uncompressed size + + // append a zip64 extra block to Extra + var buf [28]byte // 2x uint16 + 3x uint64 + eb := writeBuf(buf[:]) + eb.uint16(zip64ExtraID) + eb.uint16(24) // size = 3x uint64 + eb.uint64(h.UncompressedSize64) + eb.uint64(h.CompressedSize64) + eb.uint64(h.offset) + h.Extra = append(h.Extra, buf[:]...) + } else { + b.uint32(h.CompressedSize) + b.uint32(h.UncompressedSize) + } + + b.uint16(uint16(len(h.Name))) + b.uint16(uint16(len(h.Extra))) + b.uint16(uint16(len(h.Comment))) + b = b[4:] // skip disk number start and internal file attr (2x uint16) + b.uint32(h.ExternalAttrs) + if h.offset > uint32max { + b.uint32(uint32max) + } else { + b.uint32(uint32(h.offset)) + } + if _, err := w.cw.Write(buf[:]); err != nil { + return err + } + if _, err := io.WriteString(w.cw, h.Name); err != nil { + return err + } + if _, err := w.cw.Write(h.Extra); err != nil { + return err + } + if _, err := io.WriteString(w.cw, h.Comment); err != nil { + return err + } + } + end := w.cw.count + + records := uint64(len(w.dir)) + size := uint64(end - start) + offset := uint64(start) + + if f := w.testHookCloseSizeOffset; f != nil { + f(size, offset) + } + + if records >= uint16max || size >= uint32max || offset >= uint32max { + var buf [directory64EndLen + directory64LocLen]byte + b := writeBuf(buf[:]) + + // zip64 end of central directory record + b.uint32(directory64EndSignature) + b.uint64(directory64EndLen - 12) // length minus signature (uint32) and length fields (uint64) + b.uint16(zipVersion45) // version made by + b.uint16(zipVersion45) // version needed to extract + b.uint32(0) // number of this disk + b.uint32(0) // number of the disk with the start of the central directory + b.uint64(records) // total number of entries in the central directory on this disk + b.uint64(records) // total number of entries in the central directory + b.uint64(size) // size of the central directory + b.uint64(offset) // offset of start of central directory with respect to the starting disk number + + // zip64 end of central directory locator + b.uint32(directory64LocSignature) + b.uint32(0) // number of the disk with the start of the zip64 end of central directory + b.uint64(uint64(end)) // relative offset of the zip64 end of central directory record + b.uint32(1) // total number of disks + + if _, err := w.cw.Write(buf[:]); err != nil { + return err + } + + // store max values in the regular end record to signal + // that the zip64 values should be used instead + records = uint16max + size = uint32max + offset = uint32max + } + + // write end record + var buf [directoryEndLen]byte + b := writeBuf(buf[:]) + b.uint32(uint32(directoryEndSignature)) + b = b[4:] // skip over disk number and first disk number (2x uint16) + b.uint16(uint16(records)) // number of entries this disk + b.uint16(uint16(records)) // number of entries total + b.uint32(uint32(size)) // size of directory + b.uint32(uint32(offset)) // start of directory + b.uint16(uint16(len(w.comment))) // byte size of EOCD comment + if _, err := w.cw.Write(buf[:]); err != nil { + return err + } + if _, err := io.WriteString(w.cw, w.comment); err != nil { + return err + } + + return w.cw.w.(*bufio.Writer).Flush() +} + +// Create adds a file to the zip file using the provided name. +// It returns a Writer to which the file contents should be written. +// The file contents will be compressed using the Deflate method. +// The name must be a relative path: it must not start with a drive +// letter (e.g. C:) or leading slash, and only forward slashes are +// allowed. To create a directory instead of a file, add a trailing +// slash to the name. +// The file's contents must be written to the io.Writer before the next +// call to Create, CreateHeader, or Close. +func (w *Writer) Create(name string) (io.Writer, error) { + header := &FileHeader{ + Name: name, + Method: Deflate, + } + return w.CreateHeader(header) +} + +// detectUTF8 reports whether s is a valid UTF-8 string, and whether the string +// must be considered UTF-8 encoding (i.e., not compatible with CP-437, ASCII, +// or any other common encoding). +func detectUTF8(s string) (valid, require bool) { + for i := 0; i < len(s); { + r, size := utf8.DecodeRuneInString(s[i:]) + i += size + // Officially, ZIP uses CP-437, but many readers use the system's + // local character encoding. Most encoding are compatible with a large + // subset of CP-437, which itself is ASCII-like. + // + // Forbid 0x7e and 0x5c since EUC-KR and Shift-JIS replace those + // characters with localized currency and overline characters. + if r < 0x20 || r > 0x7d || r == 0x5c { + if !utf8.ValidRune(r) || (r == utf8.RuneError && size == 1) { + return false, false + } + require = true + } + } + return true, require +} + +// CreateHeader adds a file to the zip archive using the provided FileHeader +// for the file metadata. Writer takes ownership of fh and may mutate +// its fields. The caller must not modify fh after calling CreateHeader. +// +// This returns a Writer to which the file contents should be written. +// The file's contents must be written to the io.Writer before the next +// call to Create, CreateHeader, or Close. +func (w *Writer) CreateHeader(fh *FileHeader) (io.Writer, error) { + if w.last != nil && !w.last.closed { + if err := w.last.close(); err != nil { + return nil, err + } + } + if len(w.dir) > 0 && w.dir[len(w.dir)-1].FileHeader == fh { + // See https://golang.org/issue/11144 confusion. + return nil, errors.New("archive/zip: invalid duplicate FileHeader") + } + + // The ZIP format has a sad state of affairs regarding character encoding. + // Officially, the name and comment fields are supposed to be encoded + // in CP-437 (which is mostly compatible with ASCII), unless the UTF-8 + // flag bit is set. However, there are several problems: + // + // * Many ZIP readers still do not support UTF-8. + // * If the UTF-8 flag is cleared, several readers simply interpret the + // name and comment fields as whatever the local system encoding is. + // + // In order to avoid breaking readers without UTF-8 support, + // we avoid setting the UTF-8 flag if the strings are CP-437 compatible. + // However, if the strings require multibyte UTF-8 encoding and is a + // valid UTF-8 string, then we set the UTF-8 bit. + // + // For the case, where the user explicitly wants to specify the encoding + // as UTF-8, they will need to set the flag bit themselves. + utf8Valid1, utf8Require1 := detectUTF8(fh.Name) + utf8Valid2, utf8Require2 := detectUTF8(fh.Comment) + switch { + case fh.NonUTF8: + fh.Flags &^= 0x800 + case (utf8Require1 || utf8Require2) && (utf8Valid1 && utf8Valid2): + fh.Flags |= 0x800 + } + + fh.CreatorVersion = fh.CreatorVersion&0xff00 | zipVersion20 // preserve compatibility byte + fh.ReaderVersion = zipVersion20 + + // If Modified is set, this takes precedence over MS-DOS timestamp fields. + if !fh.Modified.IsZero() { + // Contrary to the FileHeader.SetModTime method, we intentionally + // do not convert to UTC, because we assume the user intends to encode + // the date using the specified timezone. A user may want this control + // because many legacy ZIP readers interpret the timestamp according + // to the local timezone. + // + // The timezone is only non-UTC if a user directly sets the Modified + // field directly themselves. All other approaches sets UTC. + fh.ModifiedDate, fh.ModifiedTime = timeToMsDosTime(fh.Modified) + + // Use "extended timestamp" format since this is what Info-ZIP uses. + // Nearly every major ZIP implementation uses a different format, + // but at least most seem to be able to understand the other formats. + // + // This format happens to be identical for both local and central header + // if modification time is the only timestamp being encoded. + var mbuf [9]byte // 2*SizeOf(uint16) + SizeOf(uint8) + SizeOf(uint32) + mt := uint32(fh.Modified.Unix()) + eb := writeBuf(mbuf[:]) + eb.uint16(extTimeExtraID) + eb.uint16(5) // Size: SizeOf(uint8) + SizeOf(uint32) + eb.uint8(1) // Flags: ModTime + eb.uint32(mt) // ModTime + fh.Extra = append(fh.Extra, mbuf[:]...) + } + + var ( + ow io.Writer + fw *fileWriter + ) + h := &header{ + FileHeader: fh, + offset: uint64(w.cw.count), + } + + if strings.HasSuffix(fh.Name, "/") { + // Set the compression method to Store to ensure data length is truly zero, + // which the writeHeader method always encodes for the size fields. + // This is necessary as most compression formats have non-zero lengths + // even when compressing an empty string. + fh.Method = Store + fh.Flags &^= 0x8 // we will not write a data descriptor + + // Explicitly clear sizes as they have no meaning for directories. + fh.CompressedSize = 0 + fh.CompressedSize64 = 0 + fh.UncompressedSize = 0 + fh.UncompressedSize64 = 0 + + ow = dirWriter{} + } else { + fh.Flags |= 0x8 // we will write a data descriptor + + fw = &fileWriter{ + zipw: w.cw, + compCount: &countWriter{w: w.cw}, + crc32: crc32.NewIEEE(), + } + comp := w.compressor(fh.Method) + if comp == nil { + return nil, ErrAlgorithm + } + var err error + fw.comp, err = comp(fw.compCount) + if err != nil { + return nil, err + } + fw.rawCount = &countWriter{w: fw.comp} + fw.header = h + ow = fw + } + w.dir = append(w.dir, h) + if err := writeHeader(w.cw, fh); err != nil { + return nil, err + } + // If we're creating a directory, fw is nil. + w.last = fw + return ow, nil +} + +func writeHeader(w io.Writer, h *FileHeader) error { + const maxUint16 = 1<<16 - 1 + if len(h.Name) > maxUint16 { + return errLongName + } + if len(h.Extra) > maxUint16 { + return errLongExtra + } + + var buf [fileHeaderLen]byte + b := writeBuf(buf[:]) + b.uint32(uint32(fileHeaderSignature)) + b.uint16(h.ReaderVersion) + b.uint16(h.Flags) + b.uint16(h.Method) + b.uint16(h.ModifiedTime) + b.uint16(h.ModifiedDate) + b.uint32(0) // since we are writing a data descriptor crc32, + b.uint32(0) // compressed size, + b.uint32(0) // and uncompressed size should be zero + b.uint16(uint16(len(h.Name))) + b.uint16(uint16(len(h.Extra))) + if _, err := w.Write(buf[:]); err != nil { + return err + } + if _, err := io.WriteString(w, h.Name); err != nil { + return err + } + _, err := w.Write(h.Extra) + return err +} + +// RegisterCompressor registers or overrides a custom compressor for a specific +// method ID. If a compressor for a given method is not found, Writer will +// default to looking up the compressor at the package level. +func (w *Writer) RegisterCompressor(method uint16, comp Compressor) { + if w.compressors == nil { + w.compressors = make(map[uint16]Compressor) + } + w.compressors[method] = comp +} + +func (w *Writer) compressor(method uint16) Compressor { + comp := w.compressors[method] + if comp == nil { + comp = compressor(method) + } + return comp +} + +type dirWriter struct{} + +func (dirWriter) Write(b []byte) (int, error) { + if len(b) == 0 { + return 0, nil + } + return 0, errors.New("zip: write to directory") +} + +type fileWriter struct { + *header + zipw io.Writer + rawCount *countWriter + comp io.WriteCloser + compCount *countWriter + crc32 hash.Hash32 + closed bool +} + +func (w *fileWriter) Write(p []byte) (int, error) { + if w.closed { + return 0, errors.New("zip: write to closed file") + } + w.crc32.Write(p) + return w.rawCount.Write(p) +} + +func (w *fileWriter) close() error { + if w.closed { + return errors.New("zip: file closed twice") + } + w.closed = true + if err := w.comp.Close(); err != nil { + return err + } + + // update FileHeader + fh := w.header.FileHeader + fh.CRC32 = w.crc32.Sum32() + fh.CompressedSize64 = uint64(w.compCount.count) + fh.UncompressedSize64 = uint64(w.rawCount.count) + + if fh.isZip64() { + fh.CompressedSize = uint32max + fh.UncompressedSize = uint32max + fh.ReaderVersion = zipVersion45 // requires 4.5 - File uses ZIP64 format extensions + } else { + fh.CompressedSize = uint32(fh.CompressedSize64) + fh.UncompressedSize = uint32(fh.UncompressedSize64) + } + + // Write data descriptor. This is more complicated than one would + // think, see e.g. comments in zipfile.c:putextended() and + // http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7073588. + // The approach here is to write 8 byte sizes if needed without + // adding a zip64 extra in the local header (too late anyway). + var buf []byte + if fh.isZip64() { + buf = make([]byte, dataDescriptor64Len) + } else { + buf = make([]byte, dataDescriptorLen) + } + b := writeBuf(buf) + b.uint32(dataDescriptorSignature) // de-facto standard, required by OS X + b.uint32(fh.CRC32) + if fh.isZip64() { + b.uint64(fh.CompressedSize64) + b.uint64(fh.UncompressedSize64) + } else { + b.uint32(fh.CompressedSize) + b.uint32(fh.UncompressedSize) + } + _, err := w.zipw.Write(buf) + return err +} + +type countWriter struct { + w io.Writer + count int64 +} + +func (w *countWriter) Write(p []byte) (int, error) { + n, err := w.w.Write(p) + w.count += int64(n) + return n, err +} + +type nopCloser struct { + io.Writer +} + +func (w nopCloser) Close() error { + return nil +} + +type writeBuf []byte + +func (b *writeBuf) uint8(v uint8) { + (*b)[0] = v + *b = (*b)[1:] +} + +func (b *writeBuf) uint16(v uint16) { + binary.LittleEndian.PutUint16(*b, v) + *b = (*b)[2:] +} + +func (b *writeBuf) uint32(v uint32) { + binary.LittleEndian.PutUint32(*b, v) + *b = (*b)[4:] +} + +func (b *writeBuf) uint64(v uint64) { + binary.LittleEndian.PutUint64(*b, v) + *b = (*b)[8:] +} diff --git a/vql/filesystem/zip.go b/vql/filesystem/zip.go index 79f200d608b..359fc157a86 100644 --- a/vql/filesystem/zip.go +++ b/vql/filesystem/zip.go @@ -40,7 +40,6 @@ package filesystem import ( - "archive/zip" "context" "encoding/json" "errors" @@ -54,6 +53,8 @@ import ( "sync" "time" + "www.velocidex.com/golang/velociraptor/third_party/zip" + "www.velocidex.com/golang/velociraptor/glob" "www.velocidex.com/golang/vfilter" ) diff --git a/vql/parsers/ole.go b/vql/parsers/ole.go index 3e783b496ad..28bf0190888 100644 --- a/vql/parsers/ole.go +++ b/vql/parsers/ole.go @@ -18,7 +18,6 @@ package parsers import ( - "archive/zip" "context" "errors" "io" @@ -27,6 +26,7 @@ import ( "www.velocidex.com/golang/oleparse" "www.velocidex.com/golang/velociraptor/constants" "www.velocidex.com/golang/velociraptor/glob" + "www.velocidex.com/golang/velociraptor/third_party/zip" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" vfilter "www.velocidex.com/golang/vfilter" )