Added an uploader plugin and sync with the latest vfilter code.

actions/vql.go

@@ -1,7 +1,6 @@
 package actions
 
 import (
-	"encoding/json"
 	"github.com/golang/protobuf/proto"
 	actions_proto "www.velocidex.com/golang/velociraptor/actions/proto"
 	"www.velocidex.com/golang/velociraptor/context"
@@ -31,15 +30,9 @@ func (self *VQLClientAction) Run(
 	}
 
 	scope := vql_subsystem.MakeScope()
-	output_chan := vql.Eval(ctx, scope)
-	result := []vfilter.Row{}
-	for row := range output_chan {
-		result = append(result, row)
-	}
-
-	s, err := json.MarshalIndent(result, "", " ")
+	s, err := vfilter.OutputJSON(vql, ctx, scope)
 	if err != nil {
-		return responder.RaiseError(err.Error())
+		responder.RaiseError(err.Error())
 	}
 
 	responder.AddResponse(&actions_proto.VQLResponse{

bin/vraptor.go

@@ -8,9 +8,9 @@ import (
 	"gopkg.in/alecthomas/kingpin.v2"
 	"os"
 	"strings"
+	"www.velocidex.com/golang/velociraptor/utils"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
 	"www.velocidex.com/golang/vfilter"
-	//	utils 	"www.velocidex.com/golang/velociraptor/testing"
 )
 
 var (
@@ -30,15 +30,9 @@ func outputJSON(vql *vfilter.VQL) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	output_chan := vql.Eval(ctx, scope)
-	result := []vfilter.Row{}
-	for row := range output_chan {
-		result = append(result, row)
-	}
-
-	s, err := json.MarshalIndent(result, "", " ")
+	result, err := vfilter.OutputJSON(vql, ctx, scope)
 	if err == nil {
-		os.Stdout.Write(s)
+		os.Stdout.Write(result)
 	}
 }
 
@@ -75,9 +69,16 @@ func evalQuery(vql *vfilter.VQL) {
 			return
 		}
 		string_row := []string{}
+		if len(*columns) == 0 {
+			members := scope.GetMembers(row)
+			table.SetHeader(members)
+			columns = &members
+		}
+
 		for _, key := range *columns {
 			cell := ""
-			if value, pres := scope.Associative(row, key); pres {
+			value, pres := scope.Associative(row, key)
+			if pres && !utils.IsNil(value) {
 				switch t := value.(type) {
 				case vfilter.StringProtocol:
 					cell = t.ToString(scope)
@@ -101,11 +102,17 @@ func evalQuery(vql *vfilter.VQL) {
 }
 
 func doExplain(plugin string) {
+	result := vfilter.NewDict()
 	type_map := make(vfilter.TypeMap)
 	scope := vql_subsystem.MakeScope()
 	if pslist_info, pres := scope.Info(&type_map, plugin); pres {
-		vfilter.Debug(pslist_info)
-		vfilter.Debug(type_map)
+		result.Set(plugin+"_info", pslist_info)
+		result.Set("type_map", type_map)
+	}
+
+	s, err := json.MarshalIndent(result, "", " ")
+	if err == nil {
+		os.Stdout.Write(s)
 	}
 }
 

utils/utils.go

@@ -1,5 +1,10 @@
 package utils
 
+import (
+	"reflect"
+)
+
+
 func InString(hay *[]string, needle string) bool {
 	for _, x := range *hay {
 		if x == needle {
@@ -9,3 +14,8 @@ func InString(hay *[]string, needle string) bool {
 
 	return false
 }
+
+func IsNil(a interface{}) bool {
+  defer func() { recover() }()
+  return a == nil || reflect.ValueOf(a).IsNil()
+}

vql/filesystem.go

@@ -4,16 +4,16 @@ import (
 	"context"
 	"github.com/shirou/gopsutil/disk"
 	"www.velocidex.com/golang/velociraptor/glob"
+	utils "www.velocidex.com/golang/velociraptor/testing"
 	"www.velocidex.com/golang/vfilter"
-	//	utils 	"www.velocidex.com/golang/velociraptor/testing"
 )
 
 type GlobPlugin struct{}
 
 func (self GlobPlugin) Call(
 	ctx context.Context,
 	scope *vfilter.Scope,
-	args vfilter.Dict) <-chan vfilter.Row {
+	args *vfilter.Dict) <-chan vfilter.Row {
 	globber := make(glob.Globber)
 	output_chan := make(chan vfilter.Row)
 
@@ -29,11 +29,11 @@ func (self GlobPlugin) Call(
 				case string:
 					globber.Add(item_t, "/")
 				default:
-					vfilter.Debug("Unsupported arg type")
+					utils.Debug("Unsupported arg type")
 				}
 			}
 		default:
-			vfilter.Debug("Unsupported args")
+			utils.Debug("Unsupported args")
 		}
 	} else {
 		// If no args specified just glob *
@@ -77,7 +77,7 @@ func (self GlobPlugin) Info(type_map *vfilter.TypeMap) *vfilter.PluginInfo {
 func MakeFilesystemsPlugin() vfilter.GenericListPlugin {
 	return vfilter.GenericListPlugin{
 		PluginName: "filesystems",
-		Function: func(args vfilter.Dict) []vfilter.Row {
+		Function: func(args *vfilter.Dict) []vfilter.Row {
 			var result []vfilter.Row
 			partitions, err := disk.Partitions(true)
 			if err == nil {

vql/info.go

@@ -8,7 +8,7 @@ import (
 func MakeInfoPlugin() vfilter.GenericListPlugin {
 	return vfilter.GenericListPlugin{
 		PluginName: "info",
-		Function: func(args vfilter.Dict) []vfilter.Row {
+		Function: func(args *vfilter.Dict) []vfilter.Row {
 			var result []vfilter.Row
 			if info, err := host.Info(); err == nil {
 				result = append(result, info)

vql/process.go

@@ -34,7 +34,6 @@ func (self _ProcessFieldImpl) Associative(
 
 func (self _ProcessFieldImpl) GetMembers(scope *vfilter.Scope, a vfilter.Any) []string {
 	var result []string
-
 	for _, item := range (vfilter.DefaultAssociative{}).GetMembers(scope, a) {
 		if !utils.InString(&_BlockedMembers, item) {
 			result = append(result, item)
@@ -47,7 +46,7 @@ func (self _ProcessFieldImpl) GetMembers(scope *vfilter.Scope, a vfilter.Any) []
 func MakePslistPlugin() vfilter.GenericListPlugin {
 	return vfilter.GenericListPlugin{
 		PluginName: "pslist",
-		Function: func(args vfilter.Dict) []vfilter.Row {
+		Function: func(args *vfilter.Dict) []vfilter.Row {
 			var result []vfilter.Row
 			processes, err := process.Processes()
 			if err == nil {

vql/regexparser.go

@@ -9,15 +9,15 @@ import (
 	"www.velocidex.com/golang/vfilter"
 )
 
-func _ParseFileWithRegex(args vfilter.Dict) []vfilter.Row {
+func _ParseFileWithRegex(args *vfilter.Dict) []vfilter.Row {
 	var result []vfilter.Row
-	filename, ok := vfilter.ExtractString("file", &args)
+	filename, ok := vfilter.ExtractString("file", args)
 	if !ok {
 		return result
 	}
 
 	utils.Debug(filename)
-	regexps, ok := vfilter.ExtractStringArray("regex", &args)
+	regexps, ok := vfilter.ExtractStringArray("regex", args)
 	if !ok {
 		return result
 	}

vql/upload.go

@@ -0,0 +1,43 @@
+package vql
+
+import (
+	"www.velocidex.com/golang/vfilter"
+)
+
+// The upload plugin is a passthrough plugin which uploads the files
+// to the server.
+
+// Args:
+//   - hits: A series of rows to upload. These are typically
+//      subselects. The rows will be passed directly to the output of
+//      the plugin.
+
+// Example:
+//   SELECT * from upload(hits= { SELECT FullPath FROM glob(globs=['/tmp/*.txt']) })
+
+func MakeUploaderPlugin() vfilter.GenericListPlugin {
+	plugin := vfilter.GenericListPlugin{
+		PluginName: "upload",
+		RowType:    nil,
+	}
+
+	plugin.Function = func(args *vfilter.Dict) []vfilter.Row {
+		var result []vfilter.Row
+		// Extract the glob from the args.
+		hits, ok := args.Get("hits")
+		if ok {
+			switch t := hits.(type) {
+			case []vfilter.Any:
+				for _, item := range t {
+					plugin.RowType = item
+					result = append(result, item)
+				}
+			default:
+				return result
+			}
+		}
+		return result
+	}
+
+	return plugin
+}

vql/users.go

@@ -9,7 +9,7 @@ import (
 func MakeUsersPlugin() vfilter.GenericListPlugin {
 	return vfilter.GenericListPlugin{
 		PluginName: "users",
-		Function: func(args vfilter.Dict) []vfilter.Row {
+		Function: func(args *vfilter.Dict) []vfilter.Row {
 			var result []vfilter.Row
 			if users, err := host.Users(); err == nil {
 				for _, item := range users {
@@ -25,7 +25,7 @@ func MakeUsersPlugin() vfilter.GenericListPlugin {
 func MakeConnectionsPlugin() vfilter.GenericListPlugin {
 	return vfilter.GenericListPlugin{
 		PluginName: "connections",
-		Function: func(args vfilter.Dict) []vfilter.Row {
+		Function: func(args *vfilter.Dict) []vfilter.Row {
 			var result []vfilter.Row
 			if cons, err := net.Connections("all"); err == nil {
 				for _, item := range cons {

vql/vql.go

@@ -22,6 +22,7 @@ func MakeScope() *vfilter.Scope {
 		GlobPlugin{},
 		MakeRegexParserPlugin(),
 		MakeFilesystemsPlugin(),
+		MakeUploaderPlugin(),
 	).AddProtocolImpl(
 		_ProcessFieldImpl{},
 	)