Artifacts can now import/export other artifacts. (Velocidex#1087)

This allows developing shared code which can be easily used by
different artifacts.

Also included a initial implementation of a Shellbags artifact.

api/notebooks.go

@@ -1077,7 +1077,12 @@ func updateCellContents(
 		// markdown fragments.
 		cell_content, err := reporting.ConvertVQLCellToContent(input)
 		if err != nil {
-			return nil, err
+			// Ignore errors and just treat the whole
+			// thing as VQL - this will fail to render the
+			// comment and just ignore it - it is probably
+			// malformed.
+			cell_content = &reporting.Content{}
+			cell_content.PushVQL(input)
 		}
 
 		for _, fragment := range cell_content.Fragments {

artifacts/definitions/Windows/Forensics/Lnk.yaml

@@ -20,8 +20,7 @@ parameters:
     description: Also upload the link files themselves.
     type: bool
 
-sources:
-  - query: |
+export: |
      LET Profile = '''
      [
       ["ShellLinkHeader", 0, [
@@ -134,17 +133,36 @@ sources:
           "end_bit": 7,
         }],
 
+        ["Subtype", 2, "BitField", {
+           "type": "uint8",
+           "start_bit": 0,
+           "end_bit": 1,
+        }],
+
         # For now only support some common shell bags
         ["ShellBag", 0, "Union", {
            "selector": "x=>x.Type",
             "choices": {
+               "64": "ShellBag0x40",
                "48": "ShellBag0x30",
                "16": "ShellBag0x1f",
                "32": "ShellBag0x20",
             }
         }]
       ]],
 
+      ["ShellBag0x40", 0, [
+         ["Name", 5, "String", {
+            encoding: "utf8",
+         }],
+         ["Description", 0, "Value", {
+             "value": 'x=>dict(
+             Type="NetworkLocation",
+             ShortName=x.Name
+             )'
+         }]
+      ]],
+
       # A LinkInfo stores information about the destination of the link.
       ["LinkInfo", "x=>x.LinkInfoSize", [
         ["Offset", 0, "Value", {"value": "x=>x.StartOf"}],
@@ -279,11 +297,16 @@ sources:
 
       # Volume name
       ["ShellBag0x20", 0, [
-        ["Name", 3, "String"],
-        ["Description", 0, "Value", {
+         ["__Name", 3, "String"],
+         # Name is only valid if the first bit is set.
+         ["Name", 3, "Value", {
+             "value": "x=>if(condition=x.ParentOf.Subtype, then=x.__Name, else='')",
+         }],
+         ["Description", 0, "Value", {
             "value": 'x=>dict(
-              ShortName=x.Name,
-              Type="Volume"
+                LongName=x.Name,
+                ShortName=x.Name,
+                Type="Volume"
             )'
         }]
       ]],
@@ -376,6 +399,8 @@ sources:
      ]
      '''
 
+sources:
+  - query: |
      LET link_files = SELECT parse_binary(
          filename=FullPath,
          profile=Profile, struct="ShellLinkHeader")  AS Parsed,

artifacts/definitions/Windows/Forensics/Shellbags.yaml

@@ -0,0 +1,68 @@
+name: Windows.Forensics.Shellbags
+description: |
+  Windows uses the Shellbag keys to store user preferences for GUI
+  folder display within Windows Explorer.
+
+reference:
+  - https://www.sans.org/blog/computer-forensic-artifacts-windows-7-shellbags/
+
+parameters:
+  - name: MRUGlob
+    type: csv
+    default: |
+      Glob
+      HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU\**
+      HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\**
+
+imports:
+  # Link files use the same internal format as shellbags so we import
+  # the profile here.
+  - Windows.Forensics.Lnk
+
+sources:
+  - query: |
+      LET X = SELECT FullPath,
+          parse_binary(profile=Profile, filename=Data.value, accessor="data", struct="ItemIDList") as _Parsed,
+          base64encode(string=Data.value) AS _RawData, ModTime
+      FROM glob(globs=MRUGlob.Glob, accessor="registry")
+      WHERE Data.type = "BINARY" AND Name =~ "[0-9]+"
+
+      LET AllResults <= SELECT FullPath,
+        _Parsed.ShellBag.Description AS Description,
+        _Parsed, _RawData, ModTime
+      FROM X
+
+      // Recursive function to join path components together.
+      LET FormPath(MRUPath, Description) = SELECT * FROM chain(
+        b={
+          SELECT MRUPath AS FullPath, Description,
+              -- Signify unknown component as ?
+              Description.LongName || Description.ShortName || "?" AS Name
+          FROM scope()
+        },
+        c={
+          SELECT * FROM foreach(row={
+            SELECT FullPath, Description
+            FROM AllResults
+            WHERE FullPath = dirname(path=MRUPath, sep="\\")
+            LIMIT 1
+          }, query={
+            SELECT * FROM FormPath(MRUPath=FullPath, Description=Description)
+          })
+        })
+        ORDER BY FullPath
+
+        // Now display all hits and their reconstructed path
+        LET ReconstructedPath = SELECT ModTime, FullPath, Description, {
+           SELECT * FROM FormPath(MRUPath=FullPath, Description=Description)
+        } AS Chain, _RawData, _Parsed
+        FROM AllResults
+
+        SELECT ModTime, FullPath, Description,
+               join(array=Chain.Name, sep=" -> ") AS Path,
+               _RawData, _Parsed
+        FROM ReconstructedPath
+
+column_types:
+  - name: _RawData
+    type: base64

artifacts/definitions/Windows/Sys/Drivers.yaml

@@ -1,10 +1,17 @@
 name: Windows.Sys.Drivers
-description: Details for in-use Windows device drivers. This does not display installed but unused drivers.
+description: |
+  Details for in-use Windows device drivers. This does not display installed but unused drivers.
+
 sources:
   - precondition:
       SELECT OS From info() where OS = 'windows'
-    queries:
-      - |
-        SELECT * from wmi(
-            query="select * from Win32_PnPSignedDriver",
-            namespace="ROOT\\CIMV2")
+    query: |
+       SELECT * from wmi(
+          query="select * from Win32_PnPSignedDriver",
+          namespace="ROOT\\CIMV2")
+
+  - name: RunningDrivers
+    query: |
+       SELECT * from wmi(
+         query="select * from Win32_SystemDriver",
+         namespace="ROOT\\CIMV2")

artifacts/testdata/server/testcases/binary_parsers.out.yaml

@@ -78,6 +78,7 @@ SELECT ModuleName, Timestamp, Functions[1] FROM Artifact.Windows.System.Powershe
       "ItemIDSize": 20,
       "Offset": 78,
       "Type": 16,
+      "Subtype": 1,
       "ShellBag": {
        "Description": {
         "ShortName": "My Computer",
@@ -89,9 +90,11 @@ SELECT ModuleName, Timestamp, Functions[1] FROM Artifact.Windows.System.Powershe
       "ItemIDSize": 25,
       "Offset": 98,
       "Type": 32,
+      "Subtype": 1,
       "ShellBag": {
        "Name": "F:\\",
        "Description": {
+        "LongName": "F:\\",
         "ShortName": "F:\\",
         "Type": "Volume"
        }
@@ -101,21 +104,22 @@ SELECT ModuleName, Timestamp, Functions[1] FROM Artifact.Windows.System.Powershe
       "ItemIDSize": 74,
       "Offset": 123,
       "Type": 48,
+      "Subtype": 1,
       "ShellBag": {
        "Size": 74,
        "Type": 49,
        "SubType": [
         "Directory",
         "Unicode"
        ],
-       "LastModificationTime": "2020-12-14T02:28:18Z",
+       "LastModificationTime": "2020-11-12T01:24:36Z",
        "ShortName": "tmp",
        "Extension": {
         "Size": 56,
         "Version": 9,
         "Signature": "0xbeef0004",
-        "CreateDate": "2020-12-14T02:28:18Z",
-        "LastAccessed": "2020-12-14T02:28:18Z",
+        "CreateDate": "2020-11-12T01:24:36Z",
+        "LastAccessed": "2020-11-12T01:24:36Z",
         "MFTReference": {
          "MFTID": 8651087,
          "SequenceNumber": 0
@@ -127,9 +131,9 @@ SELECT ModuleName, Timestamp, Functions[1] FROM Artifact.Windows.System.Powershe
          "Directory",
          "Unicode"
         ],
-        "Modified": "2020-12-14T02:28:18Z",
-        "LastAccessed": "2020-12-14T02:28:18Z",
-        "CreateDate": "2020-12-14T02:28:18Z",
+        "Modified": "2020-11-12T01:24:36Z",
+        "LastAccessed": "2020-11-12T01:24:36Z",
+        "CreateDate": "2020-11-12T01:24:36Z",
         "ShortName": "tmp",
         "LongName": "tmp",
         "MFTID": 8651087,
@@ -141,6 +145,7 @@ SELECT ModuleName, Timestamp, Functions[1] FROM Artifact.Windows.System.Powershe
       "ItemIDSize": 84,
       "Offset": 197,
       "Type": 48,
+      "Subtype": 0,
       "ShellBag": {
        "Size": 84,
        "Type": 50,

artifacts/testdata/windows/evtx.out.yaml

@@ -275,12 +275,12 @@ SELECT * FROM parse_evtx(filename=srcDir + '/artifacts/testdata/files/Security_1
  }
 ]SELECT EventID, DomainName, UserName, LogonType, SourceIP, Description FROM Artifact.Windows.EventLogs.RDPAuth( Security=srcDir + '/artifacts/testdata/files/RDPAuth_Security.evtx', System= srcDir + '/artifacts/testdata/files/RDPAuth_System.evtx', LocalSessionManager= srcDir + '/artifacts/testdata/files/RDPAuth_LocalSessionManager.evtx', RemoteConnectionManager= srcDir + '/artifacts/testdata/files/RDPAuth_RemoteConnectionManager.evtx') WHERE NOT LogonType = 3 GROUP BY EventID[
  {
-  "EventID": 1149,
-  "DomainName": "null",
+  "EventID": 23,
+  "DomainName": "WINDOMAIN",
   "UserName": "vagrant",
   "LogonType": "null",
-  "SourceIP": "192.168.38.1",
-  "Description": "RDP_INITIATION_SUCCESSFUL"
+  "SourceIP": "null",
+  "Description": "RDP_SESSION_LOGOFF"
  },
  {
   "EventID": 21,
@@ -299,12 +299,12 @@ SELECT * FROM parse_evtx(filename=srcDir + '/artifacts/testdata/files/Security_1
   "Description": "RDP_REMOTE_CONNECTED"
  },
  {
-  "EventID": 23,
-  "DomainName": "WINDOMAIN",
-  "UserName": "vagrant",
+  "EventID": 40,
+  "DomainName": "null",
+  "UserName": "null",
   "LogonType": "null",
   "SourceIP": "null",
-  "Description": "RDP_SESSION_LOGOFF"
+  "Description": "RDP_REMOTE_DISCONNECTED_REASON"
  },
  {
   "EventID": 24,
@@ -323,12 +323,20 @@ SELECT * FROM parse_evtx(filename=srcDir + '/artifacts/testdata/files/Security_1
   "Description": "RDP_REMOTE_RECONNECTION"
  },
  {
-  "EventID": 40,
+  "EventID": 1149,
   "DomainName": "null",
-  "UserName": "null",
+  "UserName": "vagrant",
+  "LogonType": "null",
+  "SourceIP": "192.168.38.1",
+  "Description": "RDP_INITIATION_SUCCESSFUL"
+ },
+ {
+  "EventID": 4647,
+  "DomainName": "WINDOMAIN",
+  "UserName": "vagrant",
   "LogonType": "null",
   "SourceIP": "null",
-  "Description": "RDP_REMOTE_DISCONNECTED_REASON"
+  "Description": "USER_INITIATED_LOGOFF"
  },
  {
   "EventID": 4624,
@@ -345,13 +353,5 @@ SELECT * FROM parse_evtx(filename=srcDir + '/artifacts/testdata/files/Security_1
   "LogonType": 10,
   "SourceIP": "null",
   "Description": "LOGOFF_DISCONNECT"
- },
- {
-  "EventID": 4647,
-  "DomainName": "WINDOMAIN",
-  "UserName": "vagrant",
-  "LogonType": "null",
-  "SourceIP": "null",
-  "Description": "USER_INITIATED_LOGOFF"
  }
 ]

artifacts/testdata/windows/registry.out.yaml

@@ -40,9 +40,6 @@ SELECT FullPath FROM glob(globs="/*", accessor="reg")[
  {
   "FullPath": "\\HKEY_LOCAL_MACHINE\\BCD00000000"
  },
- {
-  "FullPath": "\\HKEY_LOCAL_MACHINE\\DRIVERS"
- },
  {
   "FullPath": "\\HKEY_LOCAL_MACHINE\\HARDWARE"
  },
@@ -59,9 +56,6 @@ SELECT FullPath FROM glob(globs="/*", accessor="reg")[
  {
   "FullPath": "\\HKEY_LOCAL_MACHINE\\BCD00000000"
  },
- {
-  "FullPath": "\\HKEY_LOCAL_MACHINE\\DRIVERS"
- },
  {
   "FullPath": "\\HKEY_LOCAL_MACHINE\\HARDWARE"
  },