Added autoruns test (Velocidex#88)

* Various bug fixes.

artifacts/artifacts.go

@@ -107,7 +107,7 @@ func (self *Repository) LoadYaml(data string, validate bool) (
 		// By default use the client type.
 		artifact.Type = "client"
 
-	case "client", "client_event", "server", "server_event":
+	case "client", "client_event", "server", "server_event", "internal":
 		// These types are acceptable.
 
 	default:

artifacts/definitions/Reporting/Hunts/Details.yaml

@@ -3,6 +3,8 @@ description: |
   Report details about which client ran each hunt, how long it took
   and if it has completed.
 
+type: SERVER
+
 sources:
   - precondition:
       SELECT server_config FROM scope()

artifacts/definitions/Server/Internal/ArtifactDescription.yaml

@@ -1,5 +1,7 @@
 name: Server.Internal.ArtifactDescription
 
+type: INTERNAL
+
 reports:
   - type: INTERNAL
     template: |

artifacts/definitions/Windows/Sysinternals/Autoruns.yaml

@@ -13,18 +13,24 @@ parameters:
     description: |
       Specify this as the base of the binary store (if empty we use
       the server's public directory).
+  - name: AutorunArgs
+    description: |
+      A space separated list of args to run with.
+    default: |
+      -nobanner -accepteula -t -a * -c *
 
 sources:
   - queries:
       # Get the path to the binary.
       - |
-        LET bin = SELECT * FROM Artifact.Windows.Utils.FetchBinary(
-              ToolName="Autorun")
+        LET bin <= SELECT * FROM Artifact.Windows.Utils.FetchBinary(
+              binaryURL=binaryURL, ToolName="Autorun")
 
       # Call the binary and return all its output in a single row.
       - |
-        LET output = SELECT * FROM execve(argv=[(bin[0]).FullPath, "-nobanner",
-           "-t", "-a", "*", "-c", "*"], length=10000000)
+        LET output = SELECT * FROM execve(argv=(bin[0]).FullPath +
+           split(string=AutorunArgs, sep=" "),
+           length=10000000)
 
       # Parse the CSV output and return it as rows. We can filter this further.
       - |

artifacts/definitions/Windows/Utils/DownloadBinaries.yaml

@@ -24,16 +24,18 @@ sources:
   - queries:
       - LET binpath <= SELECT server_config.Frontend.public_path AS Path FROM scope()
       - LET spec = SELECT * FROM parse_csv(filename=binaryList, accessor="data")
-      - LET download = SELECT Tool, Type,
+      - |
+        LET download = SELECT Tool, Type,
             Content AS FullPath,
             hash(path=Content) as Hash,
-            copy(filename=Content, dest=binpath.Path + "/" + basename(path=URL)),
+            copy(filename=Content, dest=(binpath[0]).Path + "/" + basename(path=URL)),
             URL
         FROM http_client(url=URL, tempfile_extension=".exe")
 
       # Write the inventory file.
-      - SELECT * FROM write_csv(
-          filename=binpath.Path + "/" + "inventory.csv",
+      - |
+        SELECT * FROM write_csv(
+          filename=(binpath[0]).Path + "/" + "inventory.csv",
           query={
              SELECT Tool, Type, basename(path=URL) AS URL, Hash.SHA256 AS ExpectedHash
              FROM foreach(row=spec, query=download)

artifacts/definitions/Windows/Utils/FetchBinary.yaml

@@ -44,8 +44,9 @@ sources:
       # Fetch the inventory from the repository.
       - |
         LET inventory_data = SELECT * FROM http_client(
-           length=1000000,
+           chunk_size=1000000,
            url=(inventory_url[0]).URL + "inventory.csv")
+           WHERE inventory_url
 
       # Parse the inventory: Tool,Type,URL,ExpectedHash
       - |

artifacts/testdata/server/testcases/binary_blobs.in.yaml

@@ -8,8 +8,10 @@ Queries:
 
   # First time we retrive the tool we should bring it from the server.
   - SELECT DownloadStatus, Hash FROM Artifact.Windows.Utils.FetchBinary(
+       ToolName="WinPmem",
        binaryURL="https://storage.googleapis.com/go.velocidex.com/")
 
   # Second time it should be retrieved from the local system cache.
   - SELECT DownloadStatus, Hash FROM Artifact.Windows.Utils.FetchBinary(
+       ToolName="WinPmem",
        binaryURL="https://storage.googleapis.com/go.velocidex.com/")

artifacts/testdata/server/testcases/binary_blobs.out.yaml

@@ -2,22 +2,22 @@ SELECT * FROM switch( b={SELECT Complete FROM execve(argv=["rm", "-f", "/tmp/aut
  {
   "Complete": true
  }
-]SELECT DownloadStatus, Hash FROM Artifact.Windows.Utils.FetchBinary( binaryURL="https://storage.googleapis.com/go.velocidex.com/")[
+]SELECT DownloadStatus, Hash FROM Artifact.Windows.Utils.FetchBinary( ToolName="WinPmem", binaryURL="https://storage.googleapis.com/go.velocidex.com/")[
  {
   "DownloadStatus": "Downloaded",
   "Hash": {
-   "MD5": "6002c7bb0516ebbcba2af0259fce2468",
-   "SHA1": "e2bb955324e7848ccc9240e67d54cec18453cc2e",
-   "SHA256": "bea5da8b6487dac6e0c7ab5a4c6f0dc0c2b89d6870199dc6f75ae425bde896a6"
+   "MD5": "be60b58acd9db3f665faef7f38801bae",
+   "SHA1": "34b42846e62ba5302928611fcbc766f2f101a956",
+   "SHA256": "6ca71c13f98eeed8ffc0a9edb8eea787624b90018bd4f64672439af35c3ec820"
   }
  }
-]SELECT DownloadStatus, Hash FROM Artifact.Windows.Utils.FetchBinary( binaryURL="https://storage.googleapis.com/go.velocidex.com/")[
+]SELECT DownloadStatus, Hash FROM Artifact.Windows.Utils.FetchBinary( ToolName="WinPmem", binaryURL="https://storage.googleapis.com/go.velocidex.com/")[
  {
   "DownloadStatus": "Cached",
   "Hash": {
-   "MD5": "6002c7bb0516ebbcba2af0259fce2468",
-   "SHA1": "e2bb955324e7848ccc9240e67d54cec18453cc2e",
-   "SHA256": "bea5da8b6487dac6e0c7ab5a4c6f0dc0c2b89d6870199dc6f75ae425bde896a6"
+   "MD5": "be60b58acd9db3f665faef7f38801bae",
+   "SHA1": "34b42846e62ba5302928611fcbc766f2f101a956",
+   "SHA256": "6ca71c13f98eeed8ffc0a9edb8eea787624b90018bd4f64672439af35c3ec820"
   }
  }
 ]

artifacts/testdata/windows/autoexec.in.yaml

@@ -0,0 +1,5 @@
+Queries:
+  - SELECT * FROM  Artifact.Windows.Sysinternals.Autoruns(
+         binaryURL="https://storage.googleapis.com/go.velocidex.com/",
+         AutorunArgs="-nobanner -accepteula -a b -c *")
+    WHERE Company =~ "Microsoft"

artifacts/testdata/windows/autoexec.out.yaml

@@ -0,0 +1,30 @@
+SELECT * FROM  Artifact.Windows.Sysinternals.Autoruns( binaryURL="https://storage.googleapis.com/go.velocidex.com/", AutorunArgs="-nobanner -accepteula -a b -c *") WHERE Company =~ "Microsoft"[
+ {
+  "Category": "Boot Execute",
+  "Company": "Microsoft Corporation",
+  "Description": "Auto Check Utility",
+  "Enabled": "enabled",
+  "Entry": "autocheck autochk /q /v *",
+  "Entry Location": "HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute",
+  "Image Path": "c:\\windows\\system32\\autochk.exe",
+  "Launch String": "autocheck autochk /q /v *",
+  "Profile": "System-wide",
+  "Version": "6.3.9600.17031",
+  "_Source": "Windows.Sysinternals.Autoruns",
+  "Time": "2/22/2014 12:17 PM"
+ },
+ {
+  "Category": "Boot Execute",
+  "Company": "Microsoft Corporation",
+  "Description": "Service Control Manager Extension DLL for non-minwin",
+  "Enabled": "enabled",
+  "Entry": "%systemroot%\\system32\\scext.dll",
+  "Entry Location": "HKLM\\System\\CurrentControlSet\\Control\\ServiceControlManagerExtension",
+  "Image Path": "c:\\windows\\system32\\scext.dll",
+  "Launch String": "%systemroot%\\system32\\scext.dll",
+  "Profile": "System-wide",
+  "Version": "6.3.9600.17415",
+  "_Source": "Windows.Sysinternals.Autoruns",
+  "Time": "10/29/2014 1:28 AM"
+ }
+]

artifacts/testdata/windows/registry.out.yaml

@@ -164,6 +164,10 @@ SELECT FullPath FROM glob(globs="/*", accessor="reg")[
   "_Source": "Windows.System.Amcache/InventoryApplicationFile"
  }
 ]SELECT User, ProgramName FROM Artifact.Windows.Registry.Sysinternals.Eulacheck()[
+ {
+  "ProgramName": "AutoRuns",
+  "User": "appveyor"
+ },
  {
   "ProgramName": "PsExec",
   "User": "appveyor"

bin/installer_darwin.go

@@ -73,8 +73,10 @@ func doInstall() error {
 	logger := logging.GetLogger(config_obj, &logging.ClientComponent)
 	target_path := os.ExpandEnv(config_obj.Client.DarwinInstaller.InstallPath)
 
+	ctx := context.Background()
+
 	// Try to copy the executable to the target_path.
-	err = utils.CopyFile(executable, target_path, 0755)
+	err = utils.CopyFile(ctx, executable, target_path, 0755)
 	if err != nil && os.IsNotExist(errors.Cause(err)) {
 		dirname := filepath.Dir(target_path)
 		logger.Info("Attempting to create intermediate directory %s.",
@@ -83,7 +85,7 @@ func doInstall() error {
 		if err != nil {
 			return errors.Wrap(err, "Create intermediate directories")
 		}
-		err = utils.CopyFile(executable, target_path, 0755)
+		err = utils.CopyFile(ctx, executable, target_path, 0755)
 	}
 	if err != nil {
 		return errors.Wrap(err, "Cant copy binary into destination dir.")
@@ -100,7 +102,7 @@ func doInstall() error {
 		logger.Info("Copying config to destination %s",
 			config_target_path)
 
-		err = utils.CopyFile(*config_path, config_target_path, 0755)
+		err = utils.CopyFile(ctx, *config_path, config_target_path, 0755)
 		if err != nil {
 			logger.Info("Cant copy config to destination %s: %v",
 				config_target_path, err)

go.mod

@@ -97,7 +97,7 @@ require (
 	www.velocidex.com/golang/go-prefetch v0.0.0-20190703150313-0469fa2f85cf
 	www.velocidex.com/golang/oleparse v0.0.0-20190327031422-34195d413196
 	www.velocidex.com/golang/regparser v0.0.0-20190625082115-b02dc43c2500
-	www.velocidex.com/golang/vfilter v0.0.0-20190921133825-6aad18636c28
+	www.velocidex.com/golang/vfilter v0.0.0-20190930000641-decf26c12478
 	www.velocidex.com/golang/vtypes v0.0.0-20180924145839-b0d509f8925b
 )
 

go.sum

@@ -426,5 +426,7 @@ www.velocidex.com/golang/regparser v0.0.0-20190625082115-b02dc43c2500 h1:XqZddiA
 www.velocidex.com/golang/regparser v0.0.0-20190625082115-b02dc43c2500/go.mod h1:DVzloLH8L+oF3zma1Jisaat5bGF+4VLggDcYlIp00ns=
 www.velocidex.com/golang/vfilter v0.0.0-20190921133825-6aad18636c28 h1:njnISVF5oBD4FXowoi0Thirl/VCSbott7vyZ4UtgpgU=
 www.velocidex.com/golang/vfilter v0.0.0-20190921133825-6aad18636c28/go.mod h1:4+gqSK0GQ+jF0//IvaXxQ1/vQztTDUMKY946y3sOugI=
+www.velocidex.com/golang/vfilter v0.0.0-20190930000641-decf26c12478 h1:SaY6Qvtm6zHHxgJIDgEpM+COKV6P4X3DND8bnKKfs6A=
+www.velocidex.com/golang/vfilter v0.0.0-20190930000641-decf26c12478/go.mod h1:4+gqSK0GQ+jF0//IvaXxQ1/vQztTDUMKY946y3sOugI=
 www.velocidex.com/golang/vtypes v0.0.0-20180924145839-b0d509f8925b h1:z5v5o1dhtzaxvlWm6qSTYZ4OTr56Ol2JpM1Y5Wu9zQE=
 www.velocidex.com/golang/vtypes v0.0.0-20180924145839-b0d509f8925b/go.mod h1:tXxIx8UJuI81Hoxcv0DTq2a1Pi1H6l1uCf4dhqUSUkw=

gui/static/angular-components/hunt/hunt-results-directive.js

@@ -28,6 +28,7 @@ const HuntResultsController = function(
     this.selectedArtifact;
 
   $scope.$watch('hunt.hunt_id', this.onHuntIdChange.bind(this));
+  $scope.$watch('controller.selectedArtifact', this.onHuntIdChange.bind(this));
 };
 
 
@@ -44,7 +45,7 @@ HuntResultsController.prototype.onHuntIdChange = function(huntId) {
     this.artifactNames = this.scope_.hunt.artifact_sources;
 
     if (angular.isDefined(this.artifactNames) &&
-        this.artifactNames.length > 0) {
+        this.artifactNames.length > 0 && !this.selectedArtifact) {
         this.selectedArtifact = this.artifactNames[0];
     }
     this.queryParams = {'hunt_id': this.scope_.huntId,