Added a VQL client action.

Refactored VQL subsystem to its own module.

actions/actions.go

@@ -20,5 +20,6 @@ func GetClientActionsMap() map[string]ClientAction {
 	result["HashFile"] = &HashFile{}
 	result["HashBuffer"] = &HashBuffer{}
 	result["TransferBuffer"] = &TransferBuffer{}
+	result["VQLClientAction"] = &VQLClientAction{}
 	return result
 }

actions/proto/vql.proto

@@ -0,0 +1,18 @@
+// These are the messages used in client actions.
+syntax = "proto2";
+
+import "www.velocidex.com/golang/velociraptor/proto/semantic.proto";
+
+package proto;
+
+message VQLCollectorArgs {
+    optional string Query = 1 [(sem_type) = {
+            description: "The VQL query to execute on the client.",
+        }, default = "select * from client_info()"];
+}
+
+message VQLResponse {
+    optional string Response = 1 [(sem_type) = {
+            description: "JSON encoded response.",
+        }];
+}

actions/vql.go

@@ -0,0 +1,49 @@
+package actions
+
+import (
+	"www.velocidex.com/golang/velociraptor/context"
+	"encoding/json"
+	"www.velocidex.com/golang/vfilter"
+	"github.com/golang/protobuf/proto"
+	actions_proto "www.velocidex.com/golang/velociraptor/actions/proto"
+	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
+	crypto_proto "www.velocidex.com/golang/velociraptor/crypto/proto"
+)
+
+type VQLClientAction struct{}
+func (self *VQLClientAction) Run(
+	ctx *context.Context,
+	msg *crypto_proto.GrrMessage) []*crypto_proto.GrrMessage {
+	responder := NewResponder(msg)
+	arg, pres := responder.GetArgs().(*actions_proto.VQLCollectorArgs)
+	if !pres {
+		return responder.RaiseError("Request should be of type VQLCollectorArgs")
+	}
+
+	if arg.Query == nil {
+		return responder.RaiseError("Query should be specified.")
+	}
+
+	vql, err := vfilter.Parse(*arg.Query)
+	if err != nil {
+		responder.RaiseError(err.Error())
+	}
+
+	scope := vql_subsystem.MakeScope()
+	output_chan := vql.Eval(ctx, scope)
+	result := []vfilter.Row{}
+	for row := range output_chan {
+		result = append(result, row)
+	}
+
+	s, err := json.MarshalIndent(result, "", " ")
+	if err != nil {
+		return responder.RaiseError(err.Error())
+	}
+
+	responder.AddResponse(&actions_proto.VQLResponse{
+		Response: proto.String(string(s)),
+	})
+
+	return responder.Return()
+}

bin/velociraptor.go

@@ -0,0 +1,49 @@
+package main
+
+import (
+	"gopkg.in/alecthomas/kingpin.v2"
+	"www.velocidex.com/golang/velociraptor/config"
+	"www.velocidex.com/golang/velociraptor/http_comms"
+	"www.velocidex.com/golang/velociraptor/context"
+	"www.velocidex.com/golang/velociraptor/crypto"
+	"www.velocidex.com/golang/velociraptor/executor"
+)
+
+var (
+	config_path = kingpin.Arg("config", "The client's config file.").Required().String()
+)
+
+
+func main() {
+	kingpin.Parse()
+
+	ctx := context.Background()
+	config, err := config.LoadConfig(*config_path)
+	if err != nil {
+		kingpin.FatalIfError(err, "Unable to load config file")
+	}
+	ctx.Config = *config
+	manager, err := crypto.NewClientCryptoManager(
+		&ctx, []byte(config.Client_private_key))
+	if err != nil {
+		kingpin.FatalIfError(err, "Unable to parse config file")
+	}
+
+	exe, err := executor.NewClientExecutor(&ctx)
+	if err != nil {
+		kingpin.FatalIfError(err, "Can not create executor.")
+	}
+
+	comm, err := http_comms.NewHTTPCommunicator(
+		ctx,
+		manager,
+		exe,
+		config.Client_server_urls,
+	)
+	if err != nil {
+		kingpin.FatalIfError(err, "Can not create HTTPCommunicator.")
+	}
+
+	comm.Run()
+
+}

cmd/vraptor.go → bin/vraptor.go

@@ -7,7 +7,7 @@ import (
 	"github.com/olekukonko/tablewriter"
 	"gopkg.in/alecthomas/kingpin.v2"
 	"os"
-	"www.velocidex.com/golang/velociraptor"
+	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
 	"www.velocidex.com/golang/vfilter"
 )
 
@@ -16,12 +16,12 @@ var (
 	queries = query.Arg("query", "The VQL Query to run.").Required().Strings()
 	format  = query.Flag("format", "Output format to use.").Default("json").Enum("text", "json")
 
-	explain        = kingpin.Command("explain", "Explain the output from a plugun")
-	explain_plugin = explain.Arg("plugun", "Plugin to explain").Required().String()
+	explain        = kingpin.Command("explain", "Explain the output from a plugin")
+	explain_plugin = explain.Arg("plugin", "Plugin to explain").Required().String()
 )
 
 func outputJSON(vql *vfilter.VQL) {
-	scope := velociraptor.MakeScope()
+	scope := vql_subsystem.MakeScope()
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
@@ -38,7 +38,7 @@ func outputJSON(vql *vfilter.VQL) {
 }
 
 func evalQuery(vql *vfilter.VQL) {
-	scope := velociraptor.MakeScope()
+	scope := vql_subsystem.MakeScope()
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
@@ -74,7 +74,7 @@ func evalQuery(vql *vfilter.VQL) {
 
 func doExplain(plugin string) {
 	type_map := make(vfilter.TypeMap)
-	scope := velociraptor.MakeScope()
+	scope := vql_subsystem.MakeScope()
 	if pslist_info, pres := scope.Info(&type_map, plugin); pres {
 		vfilter.Debug(pslist_info)
 		vfilter.Debug(type_map)

context/context.go

@@ -8,6 +8,7 @@ package context
 
 import (
 	"context"
+	"time"
 	"www.velocidex.com/golang/velociraptor/config"
 )
 
@@ -21,6 +22,19 @@ func (self *Context) Done() <- chan struct{} {
 	return self.ctx.Done()
 }
 
+func (self *Context)Deadline() (deadline time.Time, ok bool) {
+	t, ok := self.ctx.Deadline()
+	return t,ok
+}
+
+func (self *Context) Err() error {
+	return self.ctx.Err()
+}
+
+func (self *Context) Value(key interface{}) interface{} {
+	return self.ctx.Value(key)
+}
+
 func Background() Context {
 	return Context{
 		ctx: context.Background(),

glob/glob.go

@@ -8,6 +8,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"www.velocidex.com/golang/velociraptor/utils"
 )
 
 // The algorithm in this file is based on the Rekall algorithm here:
@@ -126,7 +127,7 @@ func (self *Globber) _brace_expansion(pattern string, result *[]string) {
 		for _, item := range middle {
 			self._brace_expansion(left+item+right, result)
 		}
-	} else if !in_string(result, pattern) {
+	} else if !utils.InString(result, pattern) {
 		*result = append(*result, pattern)
 	}
 }

glob/utils.go → utils/utils.go

@@ -1,6 +1,6 @@
-package glob
+package utils
 
-func in_string(hay *[]string, needle string) bool {
+func InString(hay *[]string, needle string) bool {
 	for _, x := range *hay {
 		if x == needle {
 			return true

filesystem.go → vql/filesystem.go

@@ -1,4 +1,4 @@
-package velociraptor
+package vql
 
 import (
 	"context"

info.go → vql/info.go

@@ -1,4 +1,4 @@
-package velociraptor
+package vql
 
 import (
 	"github.com/shirou/gopsutil/host"

process.go → vql/process.go

@@ -1,8 +1,9 @@
-package velociraptor
+package vql
 
 import (
 	"github.com/shirou/gopsutil/process"
 	"www.velocidex.com/golang/vfilter"
+	"www.velocidex.com/golang/velociraptor/utils"
 )
 
 // Block potentially dangerous methods.
@@ -23,7 +24,7 @@ func (self _ProcessFieldImpl) Associative(
 	scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) (vfilter.Any, bool) {
 	field := b.(string)
 
-	if in_string(&_BlockedMembers, field) {
+	if utils.InString(&_BlockedMembers, field) {
 		return false, true
 	}
 
@@ -35,7 +36,7 @@ func (self _ProcessFieldImpl) GetMembers(scope *vfilter.Scope, a vfilter.Any) []
 	var result []string
 
 	for _, item := range (vfilter.DefaultAssociative{}).GetMembers(scope, a) {
-		if !in_string(&_BlockedMembers, item) {
+		if !utils.InString(&_BlockedMembers, item) {
 			result = append(result, item)
 		}
 	}

users.go → vql/users.go

@@ -1,4 +1,4 @@
-package velociraptor
+package vql
 
 import (
 	"github.com/shirou/gopsutil/host"

velociraptor.go → vql/vql.go

@@ -1,14 +1,13 @@
 /*
 
-  Velociraptor is a tool for collecting host based state information
+  The VQL subsystem allows for collecting host based state information
   using Velocidex Query Language (VQL) queries.
 
   The primary use case for Velociraptor is for incident
   response/detection and host based inventory management.
-
 */
 
-package velociraptor
+package vql
 
 import (
 	"www.velocidex.com/golang/vfilter"