Added Appveyor based golden file tests.

appveyor.yml

@@ -0,0 +1,28 @@
+version: 1.0.{build}
+clone_depth: 1
+clone_folder: c:\gopath\src\www.velocidex.com\golang\velociraptor
+environment:
+  GOPATH: c:\gopath
+  PATH: C:\msys64\mingw64\bin;%GOPATH%\bin;%PATH%
+install:
+- cmd: |
+    echo %PATH%
+    echo %GOPATH%
+    go version
+    go env
+    go get github.com/UnnoTed/fileb0x
+    go install github.com/UnnoTed/fileb0x
+    fileb0x artifacts/b0x.yaml
+    fileb0x config/b0x.yaml
+    go get github.com/golang/dep
+    go get -u github.com/golang/dep/cmd/dep
+    dep ensure
+build_script:
+- cmd: |
+    regedit /S artifacts/testdata/windows/init.reg
+    go build -o buildOutput\velociraptor.exe -i ./bin/
+test_script:
+- cmd: buildOutput\velociraptor.exe golden artifacts\testdata\windows\
+artifacts:
+- path: artifacts/testdata/windows/*.yaml
+  name: test_data

artifacts/Dockerfile

@@ -0,0 +1,9 @@
+FROM ubuntu:xenial
+
+LABEL maintainer="support@velocidex.com"
+
+SHELL ["/bin/bash", "-c"]
+
+ADD velociraptor /tmp/velociraptor
+
+RUN mkdir /root/.ssh/ && echo ssh-rsa AAAAB3NzaC1yc2... mic@localhost > /root/.ssh/authorized_keys

artifacts/artifacts_test.go

@@ -0,0 +1,16 @@
+package artifacts
+
+import (
+	"flag"
+	"testing"
+)
+
+var environment = flag.String("test.env", "",
+	"The name of the test environment.")
+
+func TestArtifacts(t *testing.T) {
+	if *environment == "" {
+		return
+	}
+
+}

artifacts/definitions/linux/users.yaml

@@ -9,9 +9,9 @@ sources:
       SELECT OS From info() where OS = 'linux'
     queries:
       - |
-        SELECT User, Desc, Uid, Gid, Homedir, Shell
+        SELECT User, Description, Uid, Gid, Homedir, Shell
           FROM parse_records_with_regex(
             file=PasswordFile,
             regex='(?m)^(?P<User>[^:]+):([^:]+):' +
-                  '(?P<Uid>[^:]+):(?P<Gid>[^:]+):(?P<Desc>[^:]*):' +
+                  '(?P<Uid>[^:]+):(?P<Gid>[^:]+):(?P<Description>[^:]*):' +
                   '(?P<Homedir>[^:]+):(?P<Shell>[^:\\s]+)')

artifacts/testdata/docker/cpu_time.in.yaml

@@ -0,0 +1,2 @@
+Queries:
+  - Select Core from Artifact.Linux.Sys.CPUTime()

artifacts/testdata/docker/cpu_time.out.yaml

@@ -0,0 +1,14 @@
+Select Core from Artifact.Linux.Sys.CPUTime()[
+ {
+  "Core": "cpu0"
+ },
+ {
+  "Core": "cpu1"
+ },
+ {
+  "Core": "cpu2"
+ },
+ {
+  "Core": "cpu3"
+ }
+]

artifacts/testdata/docker/dpkg.in.yaml

@@ -0,0 +1,3 @@
+Queries:
+  - SELECT * FROM Artifact.Linux.Debian.Packages() WHERE Package =~ "apt"
+  - SELECT * FROM Artifact.Linux.Debian.AptSources()

artifacts/testdata/docker/dpkg.out.yaml

@@ -0,0 +1,160 @@
+SELECT * FROM Artifact.Linux.Debian.Packages() WHERE Package =~ "apt"[
+ {
+  "Architecture": "amd64",
+  "InstalledSize": "2792",
+  "Package": "libapt-pkg5.0",
+  "Source": "apt",
+  "Version": "1.2.27"
+ },
+ {
+  "Architecture": "amd64",
+  "InstalledSize": "3349",
+  "Package": "apt",
+  "Source": null,
+  "Version": "1.2.27"
+ }
+]SELECT * FROM Artifact.Linux.Debian.AptSources()[
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "archive.ubuntu.com/ubuntu/ xenial main restricted",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb",
+  "URL": "http://archive.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "archive.ubuntu.com/ubuntu/ xenial-updates main restricted",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb",
+  "URL": "http://archive.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "archive.ubuntu.com/ubuntu/ xenial universe",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb",
+  "URL": "http://archive.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "archive.ubuntu.com/ubuntu/ xenial universe",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb-src",
+  "URL": "http://archive.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "archive.ubuntu.com/ubuntu/ xenial-updates universe",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb",
+  "URL": "http://archive.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "archive.ubuntu.com/ubuntu/ xenial-updates universe",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb-src",
+  "URL": "http://archive.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "archive.ubuntu.com/ubuntu/ xenial multiverse",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb",
+  "URL": "http://archive.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "archive.ubuntu.com/ubuntu/ xenial-updates multiverse",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb",
+  "URL": "http://archive.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb",
+  "URL": "http://archive.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "security.ubuntu.com/ubuntu/ xenial-security main restricted",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb",
+  "URL": "http://security.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "security.ubuntu.com/ubuntu/ xenial-security universe",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb",
+  "URL": "http://security.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "security.ubuntu.com/ubuntu/ xenial-security universe",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb-src",
+  "URL": "http://security.ubuntu.com/ubuntu/"
+ },
+ {
+  "Arch": "",
+  "Atime": {},
+  "Ctime": {},
+  "Mtime": {},
+  "Name": "security.ubuntu.com/ubuntu/ xenial-security multiverse",
+  "Record": {},
+  "Source": "/etc/apt/sources.list",
+  "Type": "deb",
+  "URL": "http://security.ubuntu.com/ubuntu/"
+ }
+]

artifacts/testdata/docker/globs.in.yaml

@@ -0,0 +1,5 @@
+Name: Tests globs
+Queries:
+  - SELECT FullPath FROM glob(globs="/bin/*sh") ORDER BY FullPath
+  - SELECT FullPath, Size, Mode, Mtime FROM glob(globs="/usr/**/bash")
+      ORDER BY FullPath

artifacts/testdata/docker/globs.out.yaml

@@ -0,0 +1,42 @@
+SELECT FullPath FROM glob(globs="/bin/*sh") ORDER BY FullPath[
+ {
+  "FullPath": "/bin/bash"
+ },
+ {
+  "FullPath": "/bin/dash"
+ },
+ {
+  "FullPath": "/bin/rbash"
+ },
+ {
+  "FullPath": "/bin/sh"
+ }
+]SELECT FullPath, Size, Mode, Mtime FROM glob(globs="/usr/**/bash") ORDER BY FullPath[
+ {
+  "FullPath": "/usr/share/doc/bash",
+  "Mode": 2147484141,
+  "Mtime": {
+   "sec": 1533693868,
+   "usec": 0
+  },
+  "Size": 4096
+ },
+ {
+  "FullPath": "/usr/share/lintian/overrides/bash",
+  "Mode": 420,
+  "Mtime": {
+   "sec": 1494938994,
+   "usec": 0
+  },
+  "Size": 156
+ },
+ {
+  "FullPath": "/usr/share/menu/bash",
+  "Mode": 420,
+  "Mtime": {
+   "sec": 1382532082,
+   "usec": 0
+  },
+  "Size": 194
+ }
+]

artifacts/testdata/docker/ssh.in.yaml

@@ -0,0 +1,3 @@
+Name: Authorized keys
+Queries:
+  - SELECT * FROM Artifact.Linux.Ssh.AuthorizedKeys()

artifacts/testdata/docker/ssh.out.yaml

@@ -0,0 +1,8 @@
+SELECT * FROM Artifact.Linux.Ssh.AuthorizedKeys()[
+ {
+  "FullPath": "/root/.ssh/authorized_keys",
+  "Key": "ssh-rsa AAAAB3NzaC1yc2... mic@localhost",
+  "Uid": "0",
+  "User": "root"
+ }
+]

artifacts/testdata/docker/users.in.yaml

@@ -0,0 +1,3 @@
+Name: Docker Linux.Sys.Users
+Queries:
+  - Select * from Artifact.Linux.Sys.Users() WHERE User = "root"

artifacts/testdata/docker/users.out.yaml

@@ -0,0 +1,10 @@
+Select * from Artifact.Linux.Sys.Users() WHERE User = "root"[
+ {
+  "Description": "root",
+  "Gid": "0",
+  "Homedir": "/root",
+  "Shell": "/bin/bash",
+  "Uid": "0",
+  "User": "root"
+ }
+]

artifacts/testdata/windows/drivers.in.yaml

@@ -0,0 +1,4 @@
+Queries:
+  - SELECT PDO, DeviceName, Manufacturer, DriverProviderName
+    FROM Artifact.Windows.Sys.Drivers()
+    WHERE "USB" in Description

artifacts/testdata/windows/drivers.out.yaml

@@ -0,0 +1 @@
+SELECT PDO, DeviceName, Manufacturer, DriverProviderName FROM Artifact.Windows.Sys.Drivers() WHERE "USB" in Description[]

artifacts/testdata/windows/init.reg

@@ -0,0 +1,4 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
+"c:\\windows\\system32\\msht.exe"="Hello"

artifacts/testdata/windows/registry.in.yaml

@@ -0,0 +1,8 @@
+Queries:
+  # Test some edge cases of the registry filesystem accessor.
+  - SELECT FullPath FROM glob(globs="/*", accessor="reg")
+  - SELECT FullPath FROM glob(globs="\\*", accessor="reg")
+  - SELECT FullPath FROM glob(globs="\\HKEY_LOCAL_MACHINE\\*", accessor="reg")
+
+  # No leading \\
+  - SELECT FullPath FROM glob(globs="HKEY_LOCAL_MACHINE\\*", accessor="reg")