Brought back the pool client (Velocidex#2418)

mirwitch · Feb 4, 2023 · e9bc30a · e9bc30a
1 parent e7ec1c1
commit e9bc30a
Show file tree

Hide file tree

Showing 20 changed files with 444 additions and 297 deletions.
diff --git a/actions/events.go b/actions/events.go
@@ -215,12 +215,16 @@ func (self UpdateEventTable) Run(
 	// Start a new query for each event.
 	action_obj := &VQLClientAction{}
 	for _, event := range table.Events {
-		// Name of the query we are running.
+
+		// Name of the query we are running. There must be at least
+		// one query with a name.
 		artifact_name := GetQueryName(event.Query)
-		if artifact_name != "" {
-			logger.Info("<green>Starting</> monitoring query %s", artifact_name)
+		if artifact_name == "" {
+			continue
 		}
 
+		logger.Info("<green>Starting</> monitoring query %s", artifact_name)
+
 		query_responder := responder.NewMonitoringResponder(
 			ctx, config_obj, output_chan, artifact_name)
 
@@ -311,9 +315,13 @@ func InitializeEventTable(
 		config_obj, &actions_proto.VQLEventTable{})
 
 	// When the context is finished, tear down the event table.
-	go func(table *EventTable, ctx context.Context) {
-		<-ctx.Done()
-		table.Close()
+	go func(table *EventTable, service_ctx context.Context) {
+		select {
+		case <-service_ctx.Done():
+			table.Close()
+
+		case <-table.Ctx.Done():
+		}
 	}(GlobalEventTable, service_ctx)
 
 	mu.Unlock()

diff --git a/artifacts/definitions/Windows/Applications/Edge/Favicons.yaml b/artifacts/definitions/Windows/Applications/Edge/Favicons.yaml
@@ -0,0 +1,67 @@
+name: Windows.Applications.Edge.Favicons
+description: |
+  Enumerate the users edge favicons.
+
+  Chrome Favicons are stored in the 'Favicons' SQLite database, within
+  the 'favicons', 'favicon_bitmaps' and 'icon_mapping' tables. Older
+  versions of Chrome stored Favicons in a 'Thumbnails' SQLite
+  database, within the 'favicons' table.
+
+references:
+  - https://www.foxtonforensics.com/browser-history-examiner/chrome-history-location
+
+author: Phill Moore, @phillmoore
+
+parameters:
+  - name: faviconsGlob
+    default: /AppData/Local/Microsoft/Edge/User Data/*/Favicons
+
+  - name: faviconsQuery
+    default: |
+      SELECT favicons.id AS ID,
+             favicon_bitmaps.icon_id AS IconID,
+             favicon_bitmaps.image_data as _image,
+             datetime( favicon_bitmaps.last_updated / 1000000 + ( strftime( '%s', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS LastUpdated,
+             icon_mapping.page_url AS PageURL,
+             favicons.url AS FaviconURL
+             FROM favicons
+             INNER JOIN icon_mapping
+             INNER JOIN favicon_bitmaps
+             ON icon_mapping.icon_id = favicon_bitmaps.icon_id
+             AND favicons.id = favicon_bitmaps.icon_id
+             ORDER BY favicons.id ASC
+  - name: userRegex
+    default: .
+    type: regex
+
+precondition: |
+  SELECT OS From info() where OS = 'windows'
+
+sources:
+  - query: |
+        LET favicons_files = SELECT * from foreach(
+          row={
+             SELECT Uid, Name AS User,
+                    expand(path=Directory) AS HomeDirectory
+             FROM Artifact.Windows.Sys.Users()
+             WHERE Name =~ userRegex
+          },
+          query={
+             SELECT User, OSPath, Mtime
+             FROM glob(globs=faviconsGlob, root=HomeDirectory)
+          })
+
+        SELECT * FROM foreach(row=favicons_files,
+          query={
+            SELECT ID, IconID, LastUpdated, PageURL, FaviconURL,
+                   upload(accessor="data",
+                          file=_image,
+                          name=format(format="Image%v.png", args=ID)) AS Image
+            FROM sqlite(
+              file=OSPath,
+              query=faviconsQuery)
+          })
+
+column_types:
+- name: Image
+  type: preview_upload
diff --git a/artifacts/proto/artifact.pb.go b/artifacts/proto/artifact.pb.go
diff --git a/artifacts/proto/artifact.proto b/artifacts/proto/artifact.proto
@@ -139,6 +139,10 @@ message Artifact {
             description: "A reference for this artifact."
         }];
 
+    repeated string references = 23 [(sem_type) = {
+            description: "A reference for this artifact."
+        }];
+
     repeated string required_permissions = 13 [(sem_type) = {
             description: "A list of required permissions to collect this artifact."
         }];

diff --git a/bin/pool.go b/bin/pool.go
@@ -1,5 +1,3 @@
-// +build XXXX
-
 /*
    Velociraptor - Dig Deeper
    Copyright (C) 2019-2022 Rapid7 Inc.
@@ -114,9 +112,15 @@ func doPoolClient() error {
 			client_config.Client.WritebackWindows = client_config.Client.WritebackLinux
 			if client_config.Client.LocalBuffer != nil {
 				client_config.Client.LocalBuffer.DiskSize = 0
+
+				// Limit the total size of the ring buffer.
+				client_config.Client.LocalBuffer.MemorySize = 100000
 			}
 			client_config.Client.Concurrency = uint64(*pool_client_concurrency)
 
+			// Disable client info updates in pool clients
+			client_config.Client.ClientInfoUpdateTime = -1
+
 			// Make sure the config is ok.
 			err = crypto_utils.VerifyConfig(client_config)
 			if err != nil {

diff --git a/config/proto/config.pb.go b/config/proto/config.pb.go
diff --git a/config/proto/config.proto b/config/proto/config.proto
@@ -244,7 +244,7 @@ message ClientConfig {
     // server every this many seconds.This helps to keep the server
     // info up to date about each client. This should not be sent too
     // frequently. The default is 1 day (86400 seconds).
-    uint64 client_info_update_time = 40;
+    int64 client_info_update_time = 40;
 }
 
 message APIConfig {