diff --git a/api/reflect.go b/api/reflect.go index 49b05218967..b2f865413fe 100644 --- a/api/reflect.go +++ b/api/reflect.go @@ -28,6 +28,7 @@ import ( "www.velocidex.com/golang/velociraptor/services" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/types" ) var ( @@ -53,7 +54,7 @@ func (self *ApiServer) GetKeywordCompletions( scope := vql_subsystem.MakeScope() defer scope.Close() - type_map := vfilter.NewTypeMap() + type_map := types.NewTypeMap() info := scope.Describe(type_map) for _, item := range info.Functions { @@ -94,14 +95,16 @@ func (self *ApiServer) GetKeywordCompletions( return result, nil } -func getArgDescriptors(arg_type string, type_map *vfilter.TypeMap, - scope *vfilter.Scope) []*api_proto.ArgDescriptor { +func getArgDescriptors( + arg_type string, + type_map *vfilter.TypeMap, + scope vfilter.Scope) []*api_proto.ArgDescriptor { args := []*api_proto.ArgDescriptor{} arg_desc, pres := type_map.Get(scope, arg_type) if pres && arg_desc != nil && arg_desc.Fields != nil { for _, k := range arg_desc.Fields.Keys() { v_any, _ := arg_desc.Fields.Get(k) - v, ok := v_any.(*vfilter.TypeReference) + v, ok := v_any.(*types.TypeReference) if !ok { continue } diff --git a/artifacts/definitions/Admin/Client/Upgrade.yaml b/artifacts/definitions/Admin/Client/Upgrade.yaml index 3de72e7f697..2d39294c277 100644 --- a/artifacts/definitions/Admin/Client/Upgrade.yaml +++ b/artifacts/definitions/Admin/Client/Upgrade.yaml @@ -15,7 +15,8 @@ tools: parameters: - name: SleepDuration - default: 600 + default: "600" + type: int description: | The MSI file is typically very large and we do not want to overwhelm the server so we stagger the download over this many @@ -26,7 +27,11 @@ sources: SELECT OS From info() where OS = 'windows' query: | - LET bin <= SELECT * FROM Artifact.Generic.Utils.FetchBinary( + // Force the file to be copied to the real temp directory since + // we are just about to remove the Tools directory. + LET bin <= SELECT copy(filename=FullPath, + dest=expand(path="%SYSTEMROOT%\\Temp\\") + basename(path=FullPath)) AS Dest + FROM Artifact.Generic.Utils.FetchBinary( ToolName="WindowsMSI", IsExecutable=FALSE, SleepDuration=SleepDuration) @@ -35,6 +40,6 @@ sources: SELECT * FROM foreach(row=bin, query={ SELECT * FROM execve( - argv=["msiexec.exe", "/i", FullPath, "/q"], + argv=["msiexec.exe", "/i", Dest, "/q"], length=10000000) }) diff --git a/artifacts/definitions/Windows/Applications/TeamViewer/Incoming.yaml b/artifacts/definitions/Windows/Applications/TeamViewer/Incoming.yaml index c8b5b1e7ef9..cba76aaae44 100644 --- a/artifacts/definitions/Windows/Applications/TeamViewer/Incoming.yaml +++ b/artifacts/definitions/Windows/Applications/TeamViewer/Incoming.yaml @@ -73,10 +73,11 @@ sources: AND Record.TeamViewerID =~ TeamViewerIDRegex AND Record.SourceHost =~ SourceHostRegex AND Record.User =~ UserRegex - AND ( timestamp(epoch=Record.StartTime) < DateBeforeTime - AND timestamp(epoch=Record.StartTime) > DateAfterTime) - AND ( timestamp(epoch=Record.EndTime) < DateBeforeTime - AND timestamp(epoch=Record.EndTime) > DateAfterTime ) + AND timestamp(epoch=Record.StartTime) < DateBeforeTime + AND timestamp(epoch=Record.StartTime) > DateAfterTime + AND timestamp(epoch=Record.EndTime) < DateBeforeTime + AND timestamp(epoch=Record.EndTime) > DateAfterTime + }) -- include VSS in calculation and deduplicate with GROUP BY by file diff --git a/artifacts/definitions/Windows/Remediation/Sinkhole.yaml b/artifacts/definitions/Windows/Remediation/Sinkhole.yaml index 78108ab0d18..c62d8f708ac 100644 --- a/artifacts/definitions/Windows/Remediation/Sinkhole.yaml +++ b/artifacts/definitions/Windows/Remediation/Sinkhole.yaml @@ -59,12 +59,14 @@ sources: -- Check for backup to determine if sinkhole applied LET check_backup = SELECT FullPath FROM stat(filename=HostsFileBackup) + WHERE log(message="Found backup at " + FullPath) -- Backup old config LET backup = copy(filename=HostsFile,dest=HostsFileBackup) -- Restore old config LET restore = SELECT * FROM chain( + z=log(message="Will restore from backup"), a=copy(filename=HostsFileBackup,dest=HostsFile), b={ SELECT * @@ -159,18 +161,23 @@ sources: LET HostsData = join(array=build_lines.Line,sep='\r\n') -- Force start of backup or restore if applicable - LET backup_restore <= if(condition= RestoreBackup, - then= if(condition= check_backup, - then= restore, - else= log(message='Can not restore hosts file as backup does not exist.')), - else= if(condition= check_backup, - then={ - SELECT * FROM chain( - a= log(message='Backup hosts file already exists.'), - b= restore) - }, - else= backup) - ) + LET backup_restore <= if( + condition= RestoreBackup AND log(message="Will attempt to restore backup"), + then= if( + condition= check_backup, + then= restore, + -- then= { SELECT * FROM restore }, + else= log(message='Can not restore hosts file as backup does not exist.')), + + else= if( + condition= check_backup, + then={ + SELECT * FROM chain( + a= log(message='Backup hosts file already exists.'), + b= restore) + }, + else= backup) + ) -- Do kick off logic LET do_it <= SELECT * FROM if(condition= NOT RestoreBackup, @@ -179,7 +186,6 @@ sources: a= log(message='Adding hosts entries.'), b= write(DataBlob=HostsData), c= flushdns - )}) -- Finally show resultant HostsFile diff --git a/artifacts/testdata/server/testcases/artifacts.in.yaml b/artifacts/testdata/server/testcases/artifacts.in.yaml index 54886097ff5..277cd582d1e 100644 --- a/artifacts/testdata/server/testcases/artifacts.in.yaml +++ b/artifacts/testdata/server/testcases/artifacts.in.yaml @@ -9,6 +9,15 @@ Queries: env=dict(Device ='C:', VSSAnalysis='Y', KapeTriage='Y')).request AS Flow FROM scope() + # Schedule using a new style spec decleration. + - SELECT collect_client( + client_id='C.11a3013ccaXXXXX', + artifacts='Windows.KapeFiles.Targets', + spec=dict(`Windows.KapeFiles.Targets`=dict( + Device ='C:', VSSAnalysis='Y', KapeTriage='Y'))).request AS Flow + FROM scope() + + # Check that artifact_definitions work - SELECT name FROM artifact_definitions(names='Windows.KapeFiles.Targets') ORDER BY name diff --git a/artifacts/testdata/server/testcases/artifacts.out.yaml b/artifacts/testdata/server/testcases/artifacts.out.yaml index cbfc60df744..4acad842290 100644 --- a/artifacts/testdata/server/testcases/artifacts.out.yaml +++ b/artifacts/testdata/server/testcases/artifacts.out.yaml @@ -43,6 +43,44 @@ SELECT * FROM uploads(client_id='C.4f5e52adf0a337a9', flow_id='F.BN2HJCPOF5U7U') "compiled_collector_args": [] } } +]SELECT collect_client( client_id='C.11a3013ccaXXXXX', artifacts='Windows.KapeFiles.Targets', spec=dict(`Windows.KapeFiles.Targets`=dict( Device ='C:', VSSAnalysis='Y', KapeTriage='Y'))).request AS Flow FROM scope()[ + { + "Flow": { + "creator": "", + "client_id": "C.11a3013ccaXXXXX", + "urgent": false, + "artifacts": [ + "Windows.KapeFiles.Targets" + ], + "specs": [ + { + "artifact": "Windows.KapeFiles.Targets", + "parameters": { + "env": [ + { + "key": "Device", + "value": "C:" + }, + { + "key": "VSSAnalysis", + "value": "Y" + }, + { + "key": "KapeTriage", + "value": "Y" + } + ] + } + } + ], + "ops_per_second": 0, + "timeout": 0, + "max_rows": 0, + "max_upload_bytes": 0, + "allow_custom_overrides": false, + "compiled_collector_args": [] + } + } ]SELECT name FROM artifact_definitions(names='Windows.KapeFiles.Targets') ORDER BY name[ { "name": "Windows.Collectors.File" diff --git a/artifacts/testdata/server/testcases/yara.out.yaml b/artifacts/testdata/server/testcases/yara.out.yaml index a68708b1ef6..d6f823b5fe8 100644 --- a/artifacts/testdata/server/testcases/yara.out.yaml +++ b/artifacts/testdata/server/testcases/yara.out.yaml @@ -158,7 +158,7 @@ FROM scope() "Name1", "Name2" ], - "IOCdata": "[]vfilter.Any{\"Foobar\", \"Other Hit\"} [Foobar Other Hit]", + "IOCdata": "[]types.Any{\"Foobar\", \"Other Hit\"} [Foobar Other Hit]", "_Source": "Windows.Detection.RemoteYara.Process" } ]SELECT mock_check(plugin='proc_dump', expected_calls=0), mock_check(function='upload', expected_calls=0), mock_check(plugin="proc_yara", expected_calls=1) FROM scope()[ @@ -189,7 +189,7 @@ FROM scope() "Name1", "Name2" ], - "IOCdata": "[]vfilter.Any{\"Foobar\", \"Other Hit\"} [Foobar Other Hit]", + "IOCdata": "[]types.Any{\"Foobar\", \"Other Hit\"} [Foobar Other Hit]", "_Source": "Windows.Detection.RemoteYara.Process" } ]SELECT mock_check(plugin='proc_dump', expected_calls=0), mock_check(function='upload', expected_calls=0), mock_check(plugin="proc_yara", expected_calls=1) FROM scope()[ @@ -220,7 +220,7 @@ FROM scope() "Name1", "Name2" ], - "IOCdata": "[]vfilter.Any{\"Foobar\", \"Other Hit\"} [Foobar Other Hit]", + "IOCdata": "[]types.Any{\"Foobar\", \"Other Hit\"} [Foobar Other Hit]", "_Source": "Windows.Detection.RemoteYara.Process" }, { diff --git a/artifacts/utils.go b/artifacts/utils.go index 8b5bb8bceea..0a2eba2f598 100644 --- a/artifacts/utils.go +++ b/artifacts/utils.go @@ -10,7 +10,7 @@ import ( ) // Gets the client config from the scope. -func GetConfig(scope *vfilter.Scope) (*config_proto.ClientConfig, bool) { +func GetConfig(scope vfilter.Scope) (*config_proto.ClientConfig, bool) { scope_config, pres := scope.Resolve(constants.SCOPE_CONFIG) if !pres { return nil, false @@ -23,7 +23,7 @@ func GetConfig(scope *vfilter.Scope) (*config_proto.ClientConfig, bool) { return config, ok } -func GetUploader(scope *vfilter.Scope) (api.Uploader, bool) { +func GetUploader(scope vfilter.Scope) (api.Uploader, bool) { scope_uploader, pres := scope.Resolve(constants.SCOPE_UPLOADER) if !pres { return nil, false @@ -37,7 +37,7 @@ func GetUploader(scope *vfilter.Scope) (api.Uploader, bool) { return config, ok } -func GetACLManager(scope *vfilter.Scope) (vql_subsystem.ACLManager, bool) { +func GetACLManager(scope vfilter.Scope) (vql_subsystem.ACLManager, bool) { scope_manager, pres := scope.Resolve(vql_subsystem.ACL_MANAGER_VAR) if !pres { return nil, false diff --git a/bin/artifacts.go b/bin/artifacts.go index 87d35ea4060..7c1b0250502 100644 --- a/bin/artifacts.go +++ b/bin/artifacts.go @@ -174,8 +174,8 @@ func doArtifactCollect() { }() if *trace_vql_flag { - scope.Tracer = logging.NewPlainLogger(config_obj, - &logging.ToolComponent) + scope.SetTracer(logging.NewPlainLogger(config_obj, + &logging.ToolComponent)) } query := ` diff --git a/bin/fs.go b/bin/fs.go index 6e64156b171..9ec23942f36 100644 --- a/bin/fs.go +++ b/bin/fs.go @@ -73,7 +73,7 @@ var ( ) func eval_query( - config_obj *config_proto.Config, format, query string, scope *vfilter.Scope, + config_obj *config_proto.Config, format, query string, scope vfilter.Scope, env *ordereddict.Dict) { if config_obj.ApiConfig != nil && config_obj.ApiConfig.Name != "" { logging.GetLogger(config_obj, &logging.ToolComponent). @@ -87,7 +87,7 @@ func eval_query( func eval_local_query( config_obj *config_proto.Config, format string, - query string, scope *vfilter.Scope) { + query string, scope vfilter.Scope) { vqls, err := vfilter.MultiParse(query) kingpin.FatalIfError(err, "Unable to parse VQL Query") @@ -309,7 +309,7 @@ type FileStoreAccessorFactory struct { config_obj *config_proto.Config } -func (self FileStoreAccessorFactory) New(scope *vfilter.Scope) (glob.FileSystemAccessor, error) { +func (self FileStoreAccessorFactory) New(scope vfilter.Scope) (glob.FileSystemAccessor, error) { return file_store.GetFileStoreFileSystemAccessor(self.config_obj) } diff --git a/bin/query.go b/bin/query.go index a653a466276..8f243733742 100644 --- a/bin/query.go +++ b/bin/query.go @@ -63,7 +63,7 @@ var ( ) func outputJSON(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, vql *vfilter.VQL, out io.Writer) { for result := range vfilter.GetResponseChannel( @@ -76,7 +76,7 @@ func outputJSON(ctx context.Context, } func outputJSONL(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, vql *vfilter.VQL, out io.Writer) { for result := range vfilter.GetResponseChannel( @@ -89,7 +89,7 @@ func outputJSONL(ctx context.Context, } func outputCSV(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, vql *vfilter.VQL, out io.Writer) { result_chan := vfilter.GetResponseChannel(vql, ctx, scope, @@ -267,7 +267,7 @@ func doQuery() { ctx := InstallSignalHandler(scope) if *trace_vql_flag { - scope.Tracer = log.New(os.Stderr, "VQL Trace: ", 0) + scope.SetTracer(log.New(os.Stderr, "VQL Trace: ", 0)) } for _, query := range *queries { statements, err := vfilter.MultiParse(query) diff --git a/bin/utils.go b/bin/utils.go index afa2769100d..7678c6969df 100644 --- a/bin/utils.go +++ b/bin/utils.go @@ -32,7 +32,7 @@ import ( vfilter "www.velocidex.com/golang/vfilter" ) -func InstallSignalHandler(scope *vfilter.Scope) context.Context { +func InstallSignalHandler(scope vfilter.Scope) context.Context { // Wait for signal. When signal is received we shut down the // server. diff --git a/bin/vql.go b/bin/vql.go index 5b16f5b2e65..31869828869 100644 --- a/bin/vql.go +++ b/bin/vql.go @@ -27,7 +27,7 @@ import ( "github.com/Velocidex/yaml/v2" kingpin "gopkg.in/alecthomas/kingpin.v2" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" - vfilter "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/types" ) var ( @@ -43,9 +43,9 @@ var ( ) func formatPlugins( - scope *vfilter.Scope, - info *vfilter.ScopeInformation, - type_map *vfilter.TypeMap) string { + scope types.Scope, + info *types.ScopeInformation, + type_map *types.TypeMap) string { records := make(map[string]string) names := []string{} @@ -57,7 +57,7 @@ func formatPlugins( record += "----|-------------|-----\n" for _, k := range arg_desc.Fields.Keys() { v_any, _ := arg_desc.Fields.Get(k) - v, ok := v_any.(*vfilter.TypeReference) + v, ok := v_any.(*types.TypeReference) if !ok { continue } @@ -92,13 +92,13 @@ func formatPlugins( result = append(result, records[name]) } - return strings.Replace(strings.Join(result, "\n"), "vfilter.Any", "Any", -1) + return strings.Replace(strings.Join(result, "\n"), "types.Any", "Any", -1) } func formatFunctions( - scope *vfilter.Scope, - info *vfilter.ScopeInformation, - type_map *vfilter.TypeMap) string { + scope types.Scope, + info *types.ScopeInformation, + type_map *types.TypeMap) string { records := make(map[string]string) names := []string{} @@ -110,7 +110,7 @@ func formatFunctions( record += "----|-------------|-----\n" for _, k := range arg_desc.Fields.Keys() { v_any, _ := arg_desc.Fields.Get(k) - v, ok := v_any.(*vfilter.TypeReference) + v, ok := v_any.(*types.TypeReference) if !ok { continue } @@ -145,14 +145,14 @@ func formatFunctions( result = append(result, records[name]) } - return strings.Replace(strings.Join(result, "\n"), "vfilter.Any", "Any", -1) + return strings.Replace(strings.Join(result, "\n"), "types.Any", "Any", -1) } func doVQLList() { scope := vql_subsystem.MakeScope() defer scope.Close() - type_map := vfilter.NewTypeMap() + type_map := types.NewTypeMap() info := scope.Describe(type_map) fmt.Println("VQL Functions") @@ -195,7 +195,7 @@ func doVQLExport() { scope := vql_subsystem.MakeScope() defer scope.Close() - type_map := vfilter.NewTypeMap() + type_map := types.NewTypeMap() info := scope.Describe(type_map) old_data := []*PluginDesc{} @@ -230,7 +230,7 @@ func doVQLExport() { if pres { for _, k := range arg_desc.Fields.Keys() { v_any, _ := arg_desc.Fields.Get(k) - v, ok := v_any.(*vfilter.TypeReference) + v, ok := v_any.(*types.TypeReference) if !ok { continue } @@ -275,7 +275,7 @@ func doVQLExport() { if pres { for _, k := range arg_desc.Fields.Keys() { v_any, _ := arg_desc.Fields.Get(k) - v, ok := v_any.(*vfilter.TypeReference) + v, ok := v_any.(*types.TypeReference) if !ok { continue } diff --git a/docs/wix/velociraptor.xml b/docs/wix/velociraptor.xml index f96c044d372..48ed0a8ccbf 100644 --- a/docs/wix/velociraptor.xml +++ b/docs/wix/velociraptor.xml @@ -30,7 +30,7 @@ + Guid='*'> diff --git a/file_store/api/accessor.go b/file_store/api/accessor.go index d6892da8289..661772dc8e0 100644 --- a/file_store/api/accessor.go +++ b/file_store/api/accessor.go @@ -31,7 +31,7 @@ func NewFileStoreFileSystemAccessor( } func (self FileStoreFileSystemAccessor) New( - scope *vfilter.Scope) glob.FileSystemAccessor { + scope vfilter.Scope) glob.FileSystemAccessor { return &FileStoreFileSystemAccessor{self.file_store} } diff --git a/file_store/api/uploader.go b/file_store/api/uploader.go index 05415deb980..18a53a2a6fe 100644 --- a/file_store/api/uploader.go +++ b/file_store/api/uploader.go @@ -26,7 +26,7 @@ type UploadResponse struct { // Provide an uploader capable of uploading any reader object. type Uploader interface { Upload(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, filename string, accessor string, store_as_name string, @@ -42,7 +42,7 @@ type FileStoreUploader struct { func (self *FileStoreUploader) Upload( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, filename string, accessor string, store_as_name string, diff --git a/file_store/csv/utils.go b/file_store/csv/utils.go index 9ada9b0bf42..8e832c38333 100644 --- a/file_store/csv/utils.go +++ b/file_store/csv/utils.go @@ -86,7 +86,7 @@ func GetCSVReader(ctx context.Context, fd api.FileReader) CSVReader { } -func GetCSVAppender(scope *vfilter.Scope, fd io.Writer, write_headers bool) *CSVWriter { +func GetCSVAppender(scope vfilter.Scope, fd io.Writer, write_headers bool) *CSVWriter { result := &CSVWriter{ row_chan: make(chan vfilter.Row), wg: sync.WaitGroup{}, @@ -153,7 +153,7 @@ func GetCSVAppender(scope *vfilter.Scope, fd io.Writer, write_headers bool) *CSV return result } -func GetCSVWriter(scope *vfilter.Scope, fd api.FileWriter) (*CSVWriter, error) { +func GetCSVWriter(scope vfilter.Scope, fd api.FileWriter) (*CSVWriter, error) { // Seek to the end of the file. length, err := fd.Size() if err != nil { @@ -162,7 +162,7 @@ func GetCSVWriter(scope *vfilter.Scope, fd api.FileWriter) (*CSVWriter, error) { return GetCSVAppender(scope, fd, length == 0), nil } -func EncodeToCSV(scope *vfilter.Scope, v interface{}) (string, error) { +func EncodeToCSV(scope vfilter.Scope, v interface{}) (string, error) { slice := reflect.ValueOf(v) if slice.Type().Kind() != reflect.Slice { return "", errors.New("EncodeToCSV - should be a list of rows") diff --git a/file_store/mysql/mysql.go b/file_store/mysql/mysql.go index 9881ee36d1a..ab5e3805ba0 100644 --- a/file_store/mysql/mysql.go +++ b/file_store/mysql/mysql.go @@ -828,7 +828,7 @@ type SqlFileStoreAccessor struct { file_store *SqlFileStore } -func (self SqlFileStoreAccessor) New(scope *vfilter.Scope) glob.FileSystemAccessor { +func (self SqlFileStoreAccessor) New(scope vfilter.Scope) glob.FileSystemAccessor { return &SqlFileStoreAccessor{self.file_store} } diff --git a/glob/accessor_darwin.go b/glob/accessor_darwin.go index 119d2393c0e..d0e68246170 100644 --- a/glob/accessor_darwin.go +++ b/glob/accessor_darwin.go @@ -116,7 +116,7 @@ func (u *OSFileInfo) UnmarshalJSON(data []byte) error { // Real implementation for non windows OSs: type OSFileSystemAccessor struct{} -func (self OSFileSystemAccessor) New(scope *vfilter.Scope) (FileSystemAccessor, error) { +func (self OSFileSystemAccessor) New(scope vfilter.Scope) (FileSystemAccessor, error) { result := &OSFileSystemAccessor{} return result, nil } diff --git a/glob/accessor_linux.go b/glob/accessor_linux.go index 292e3588571..f32aef38d17 100644 --- a/glob/accessor_linux.go +++ b/glob/accessor_linux.go @@ -176,7 +176,7 @@ type OSFileSystemAccessor struct { context *AccessorContext } -func (self OSFileSystemAccessor) New(scope *vfilter.Scope) (FileSystemAccessor, error) { +func (self OSFileSystemAccessor) New(scope vfilter.Scope) (FileSystemAccessor, error) { return &OSFileSystemAccessor{ context: &AccessorContext{ links: make(map[_inode]bool), diff --git a/glob/data.go b/glob/data.go index 11dfd924736..15c3bb82deb 100644 --- a/glob/data.go +++ b/glob/data.go @@ -31,7 +31,7 @@ import ( type DataFilesystemAccessor struct{} -func (self DataFilesystemAccessor) New(scope *vfilter.Scope) (FileSystemAccessor, error) { +func (self DataFilesystemAccessor) New(scope vfilter.Scope) (FileSystemAccessor, error) { return DataFilesystemAccessor{}, nil } diff --git a/glob/factory.go b/glob/factory.go index d4fc77d7947..cc8d2df95dc 100644 --- a/glob/factory.go +++ b/glob/factory.go @@ -56,7 +56,7 @@ type FileSystemAccessor interface { type NullFileSystemAccessor struct{} -func (self NullFileSystemAccessor) New(scope *vfilter.Scope) FileSystemAccessor { +func (self NullFileSystemAccessor) New(scope vfilter.Scope) FileSystemAccessor { return self } @@ -85,7 +85,7 @@ func (self NullFileSystemAccessor) PathJoin(root, stem string) string { return filepath.Join(root, stem) } -func GetAccessor(scheme string, scope *vfilter.Scope) ( +func GetAccessor(scheme string, scope vfilter.Scope) ( FileSystemAccessor, error) { mu.Lock() defer mu.Unlock() @@ -108,7 +108,7 @@ func GetAccessor(scheme string, scope *vfilter.Scope) ( // A factory for new accessors type FileSystemAccessorFactory interface { - New(scope *vfilter.Scope) (FileSystemAccessor, error) + New(scope vfilter.Scope) (FileSystemAccessor, error) } func Register(scheme string, accessor FileSystemAccessorFactory) { diff --git a/glob/glob_test.go b/glob/glob_test.go index f4d159d60c7..facbfbc130f 100644 --- a/glob/glob_test.go +++ b/glob/glob_test.go @@ -101,7 +101,7 @@ func TestFnMatchTranslate(t *testing.T) { type MockFileSystemAccessor []string -func (self MockFileSystemAccessor) New(scope *vfilter.Scope) FileSystemAccessor { +func (self MockFileSystemAccessor) New(scope vfilter.Scope) FileSystemAccessor { return self } diff --git a/go.mod b/go.mod index 87e58a37db6..a772f86da04 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/Velocidex/ahocorasick v0.0.0-20180712114356-e1c353eeaaee github.com/Velocidex/cgofuse v1.1.2 github.com/Velocidex/go-elasticsearch/v7 v7.3.1-0.20191001125819-fee0ef9cac6b - github.com/Velocidex/go-yara v1.1.10-0.20210105022745-1b550dfa67da // indirect + github.com/Velocidex/go-yara v1.1.10-0.20210105022745-1b550dfa67da github.com/Velocidex/json v0.0.0-20200724131328-8f5c7b0a25ec github.com/Velocidex/ordereddict v0.0.0-20200723153557-9460a6764ab8 github.com/Velocidex/survey v1.8.7-0.20190926071832-2ff99cc7aa49 @@ -116,8 +116,8 @@ require ( www.velocidex.com/golang/go-prefetch v0.0.0-20200722101157-37e4751dd5ca www.velocidex.com/golang/oleparse v0.0.0-20190327031422-34195d413196 www.velocidex.com/golang/regparser v0.0.0-20190625082115-b02dc43c2500 - www.velocidex.com/golang/vfilter v0.0.0-20210106042051-b8120775c47f - www.velocidex.com/golang/vtypes v0.0.0-20201229070616-0b57670f1d00 + www.velocidex.com/golang/vfilter v0.0.0-20210108133703-ae394da3f631 + www.velocidex.com/golang/vtypes v0.0.0-20210108052555-8a27f80edada ) // replace www.velocidex.com/golang/go-pe => /home/mic/projects/go-pe diff --git a/go.sum b/go.sum index 6e3da8812db..0b78fe7cabc 100644 --- a/go.sum +++ b/go.sum @@ -798,8 +798,11 @@ www.velocidex.com/golang/oleparse v0.0.0-20190327031422-34195d413196 h1:3oYZ7hPN www.velocidex.com/golang/oleparse v0.0.0-20190327031422-34195d413196/go.mod h1:i7M+d4Vxir8nmDACh+c6CsUU1r1Wcj00aRgNp8mXcPQ= www.velocidex.com/golang/regparser v0.0.0-20190625082115-b02dc43c2500 h1:XqZddiAbjPIsTZcEPbqqqABS/ZV5SB7j33eczNsqD60= www.velocidex.com/golang/regparser v0.0.0-20190625082115-b02dc43c2500/go.mod h1:DVzloLH8L+oF3zma1Jisaat5bGF+4VLggDcYlIp00ns= -www.velocidex.com/golang/vfilter v0.0.0-20201229033732-028282d980f6/go.mod h1:XlUeViBwZxeefhxbkxW2oGUVcB/oQfxtBgnxL9jLryg= -www.velocidex.com/golang/vfilter v0.0.0-20210106042051-b8120775c47f h1:1J952zid9zKvc8QWpH52pgpe8uId0wsISNKymVefGv4= -www.velocidex.com/golang/vfilter v0.0.0-20210106042051-b8120775c47f/go.mod h1:EdP5LDT3l9khZVjDVD2YKoDvECi3AW0e0074quDPNpA= -www.velocidex.com/golang/vtypes v0.0.0-20201229070616-0b57670f1d00 h1:9E9t+4d4uMWIdVqMSM13CxOK2828r+xQKqg2GdETfis= -www.velocidex.com/golang/vtypes v0.0.0-20201229070616-0b57670f1d00/go.mod h1:l1FULlPMESSjMrkimRrX0EzriJ+YIKgQAN13YicEI6E= +www.velocidex.com/golang/vfilter v0.0.0-20210108051106-c18c13c24eff h1:00WZKnVVXwsfaV18UNn7iGQMCqQUf0cCFQ2RbbprYns= +www.velocidex.com/golang/vfilter v0.0.0-20210108051106-c18c13c24eff/go.mod h1:EdP5LDT3l9khZVjDVD2YKoDvECi3AW0e0074quDPNpA= +www.velocidex.com/golang/vfilter v0.0.0-20210108115820-9d2b5af22eaa h1:mr3Vj/OQdi2eAOt+itOkYkzMfVRnNEaTRbRJfR2ut0w= +www.velocidex.com/golang/vfilter v0.0.0-20210108115820-9d2b5af22eaa/go.mod h1:EdP5LDT3l9khZVjDVD2YKoDvECi3AW0e0074quDPNpA= +www.velocidex.com/golang/vfilter v0.0.0-20210108133703-ae394da3f631 h1:Z3NY12SqlQg2w3tdXzz8kr4dtE+YmlukKKkSeSQCQHw= +www.velocidex.com/golang/vfilter v0.0.0-20210108133703-ae394da3f631/go.mod h1:EdP5LDT3l9khZVjDVD2YKoDvECi3AW0e0074quDPNpA= +www.velocidex.com/golang/vtypes v0.0.0-20210108052555-8a27f80edada h1:Rtn8RTS/fTxHts5/PrBP7fei2eq4I6tboHyEm3xX0ew= +www.velocidex.com/golang/vtypes v0.0.0-20210108052555-8a27f80edada/go.mod h1:fkF6W4t1+qr1Nw51+EhAmCwQp2QtwcyNN1Ghwd1vLBM= diff --git a/json/wrappers.go b/json/wrappers.go index bca4fa35d02..38d08c43e18 100644 --- a/json/wrappers.go +++ b/json/wrappers.go @@ -27,6 +27,14 @@ func MustMarshalIndent(v interface{}) []byte { return result } +func MustMarshalString(v interface{}) string { + result, err := Marshal(v) + if err != nil { + panic(err) + } + return string(result) +} + func StringIndent(v interface{}) string { result, err := MarshalIndent(v) if err != nil { diff --git a/reporting/archive.go b/reporting/archive.go index 8f3915a7358..d402d00daed 100644 --- a/reporting/archive.go +++ b/reporting/archive.go @@ -34,7 +34,7 @@ func (self *Archive) openFile(name string) (io.Reader, error) { func (self *Archive) ReadArtifactResults( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, artifact string) chan *ordereddict.Dict { output_chan := make(chan *ordereddict.Dict) diff --git a/reporting/container.go b/reporting/container.go index 88350e61da1..0397e70be6c 100644 --- a/reporting/container.go +++ b/reporting/container.go @@ -59,7 +59,7 @@ func (self *Container) Create(name string) (io.WriteCloser, error) { func (self *Container) StoreArtifact( config_obj *config_proto.Config, ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, query *actions_proto.VQLRequest, format string) (err error) { @@ -158,7 +158,7 @@ func sanitize(component string) string { func (self *Container) Upload( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, filename string, accessor string, store_as_name string, diff --git a/reporting/expand.go b/reporting/expand.go index ca1d9ec75ef..8c6346357cb 100644 --- a/reporting/expand.go +++ b/reporting/expand.go @@ -21,7 +21,7 @@ import ( ) func EvalQueryToTable(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, vql *vfilter.VQL, out io.Writer) *tablewriter.Table { @@ -59,7 +59,7 @@ func EvalQueryToTable(ctx context.Context, type Expansions struct { config_obj *config_proto.Config rows []vfilter.Row - scope *vfilter.Scope + scope vfilter.Scope } // Support a number of expansions in description strings. @@ -119,7 +119,7 @@ func (self *Expansions) Query(queries ...string) string { defer scope.Close() - scope.Logger = log.New(os.Stderr, " ", 0) + scope.SetLogger(log.New(os.Stderr, " ", 0)) for _, query := range queries { vql, err := vfilter.Parse(query) diff --git a/reporting/gui.go b/reporting/gui.go index 392248dd0c7..bdf7f93a3fd 100644 --- a/reporting/gui.go +++ b/reporting/gui.go @@ -531,7 +531,7 @@ func (self *logWriter) Messages() []string { func NewGuiTemplateEngine( config_obj *config_proto.Config, ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, acl_manager vql_subsystem.ACLManager, repository services.Repository, notebook_cell_path_manager *NotebookCellPathManager, @@ -545,7 +545,7 @@ func NewGuiTemplateEngine( } log_writer := &logWriter{} - base_engine.Scope.Logger = log.New(log_writer, "", 0) + base_engine.Scope.SetLogger(log.New(log_writer, "", 0)) template_engine := &GuiTemplateEngine{ BaseTemplateEngine: base_engine, ctx: ctx, diff --git a/reporting/html.go b/reporting/html.go index 5a3761e62e3..e1fb411e2e6 100644 --- a/reporting/html.go +++ b/reporting/html.go @@ -325,7 +325,7 @@ func (self *HTMLTemplateEngine) Messages() []string { func NewHTMLTemplateEngine( config_obj *config_proto.Config, ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, acl_manager vql_subsystem.ACLManager, repository services.Repository, artifact_name string, @@ -340,7 +340,7 @@ func NewHTMLTemplateEngine( } log_writer := &logWriter{} - base_engine.Scope.Logger = log.New(log_writer, "", 0) + base_engine.Scope.SetLogger(log.New(log_writer, "", 0)) template_engine := &HTMLTemplateEngine{ BaseTemplateEngine: base_engine, ctx: ctx, diff --git a/reporting/report.go b/reporting/report.go index 9dd5aaaa0fe..8f162abf683 100644 --- a/reporting/report.go +++ b/reporting/report.go @@ -28,7 +28,7 @@ type BaseTemplateEngine struct { Artifact *artifacts_proto.Artifact Env *ordereddict.Dict Repository services.Repository - Scope *vfilter.Scope + Scope vfilter.Scope logger *logging.LogContext config_obj *config_proto.Config } @@ -318,7 +318,7 @@ func GenerateHuntReport(template_engine TemplateEngine, func newBaseTemplateEngine( config_obj *config_proto.Config, - scope *vfilter.Scope, + scope vfilter.Scope, acl_manager vql_subsystem.ACLManager, repository services.Repository, artifact_name string) ( diff --git a/reporting/table.go b/reporting/table.go index 81b19561767..90fbb084a34 100644 --- a/reporting/table.go +++ b/reporting/table.go @@ -8,7 +8,7 @@ import ( "www.velocidex.com/golang/vfilter" ) -func OutputRowsToTable(scope *vfilter.Scope, +func OutputRowsToTable(scope vfilter.Scope, rows []vfilter.Row, out io.Writer) *tablewriter.Table { var columns []string diff --git a/reporting/text_expander.go b/reporting/text_expander.go index b65a499e9a0..7716bef73f0 100644 --- a/reporting/text_expander.go +++ b/reporting/text_expander.go @@ -117,7 +117,7 @@ func (self *TextTemplateEngine) Table(values ...interface{}) string { func NewTextTemplateEngine( config_obj *config_proto.Config, - scope *vfilter.Scope, + scope vfilter.Scope, acl_manager vql_subsystem.ACLManager, repository services.Repository, artifact_name string) (*TextTemplateEngine, error) { diff --git a/services/hunt_manager/hunt_manager.go b/services/hunt_manager/hunt_manager.go index 8da52b94894..a4d16ec9f03 100644 --- a/services/hunt_manager/hunt_manager.go +++ b/services/hunt_manager/hunt_manager.go @@ -176,7 +176,7 @@ func (self *HuntManager) StartFlowCompletion( func (self *HuntManager) ProcessFlowCompletion( ctx context.Context, config_obj *config_proto.Config, - scope *vfilter.Scope, + scope vfilter.Scope, row *ordereddict.Dict) { flow := &flows_proto.ArtifactCollectorContext{} @@ -218,7 +218,7 @@ func (self *HuntManager) ProcessFlowCompletion( func (self *HuntManager) ProcessRow( ctx context.Context, config_obj *config_proto.Config, - scope *vfilter.Scope, + scope vfilter.Scope, row *ordereddict.Dict) { participation_row := &ParticipationRecord{} diff --git a/services/interrogation/interrogation.go b/services/interrogation/interrogation.go index 47a72324ebf..2d1732a9bbc 100644 --- a/services/interrogation/interrogation.go +++ b/services/interrogation/interrogation.go @@ -167,7 +167,7 @@ func (self *InterrogationService) Start( return watchForFlowCompletion( ctx, wg, config_obj, "Generic.Client.Info/BasicInformation", - func(ctx context.Context, scope *vfilter.Scope, row *ordereddict.Dict) { + func(ctx context.Context, scope vfilter.Scope, row *ordereddict.Dict) { err := self.ProcessRow(ctx, config_obj, scope, row) if err != nil { logger.Error(fmt.Sprintf("InterrogationService: %v", err)) @@ -178,7 +178,7 @@ func (self *InterrogationService) Start( func (self *InterrogationService) ProcessRow( ctx context.Context, config_obj *config_proto.Config, - scope *vfilter.Scope, row *ordereddict.Dict) error { + scope vfilter.Scope, row *ordereddict.Dict) error { client_id, _ := row.GetString("ClientId") if client_id == "" { return errors.New("Unknown ClientId") diff --git a/services/interrogation/utils.go b/services/interrogation/utils.go index f23bf3751df..ed0d6f30d0c 100644 --- a/services/interrogation/utils.go +++ b/services/interrogation/utils.go @@ -23,7 +23,7 @@ func watchForFlowCompletion( config_obj *config_proto.Config, artifact_name string, handler func(ctx context.Context, - scope *vfilter.Scope, row *ordereddict.Dict)) error { + scope vfilter.Scope, row *ordereddict.Dict)) error { journal, err := services.GetJournal() if err != nil { diff --git a/services/repository.go b/services/repository.go index 9af9d1f81e6..bd544392aa9 100644 --- a/services/repository.go +++ b/services/repository.go @@ -125,13 +125,13 @@ type RepositoryManager interface { // Before callers can run VQL queries they need to create a // query scope. This function uses the builder pattern above // to create a new scope. - BuildScope(builder ScopeBuilder) *vfilter.Scope + BuildScope(builder ScopeBuilder) vfilter.Scope // This function is much more expensive than // BuildScope(). Avoids caching plugin definitions - it is // only useful when callers need to manipulate the scope in an // incompatible way - e.g. override a plugin definition. - BuildScopeFromScratch(builder ScopeBuilder) *vfilter.Scope + BuildScopeFromScratch(builder ScopeBuilder) vfilter.Scope // Store the file to the repository. It will be stored in the datastore as well. SetArtifactFile(config_obj *config_proto.Config, principal string, @@ -145,9 +145,9 @@ type RepositoryManager interface { // A helper function to build a new scope from an existing scope. This // is needed in order to isolate the existing scope from the new scope // (e.g. when running a sub-artifact) -func ScopeBuilderFromScope(scope *vfilter.Scope) ScopeBuilder { +func ScopeBuilderFromScope(scope vfilter.Scope) ScopeBuilder { result := ScopeBuilder{ - Logger: scope.Logger, + Logger: scope.GetLogger(), } config_obj, ok := vql_subsystem.GetServerConfig(scope) if ok { diff --git a/services/repository/plugin.go b/services/repository/plugin.go index fc717d57279..66b33bd350f 100644 --- a/services/repository/plugin.go +++ b/services/repository/plugin.go @@ -34,6 +34,7 @@ import ( "www.velocidex.com/golang/velociraptor/utils" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/types" ) const ( @@ -68,7 +69,7 @@ func (self *ArtifactRepositoryPlugin) Print() { // Define vfilter.PluginGeneratorInterface func (self *ArtifactRepositoryPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -104,7 +105,7 @@ func (self *ArtifactRepositoryPlugin) Call( artifact_name := self.leaf.Name v, pres := args.Get("source") if pres { - lazy_v, ok := v.(vfilter.LazyExpr) + lazy_v, ok := v.(types.LazyExpr) if ok { v = lazy_v.Reduce() } @@ -175,7 +176,7 @@ func (self *ArtifactRepositoryPlugin) Call( return } - lazy_v, ok := v.(vfilter.LazyExpr) + lazy_v, ok := v.(types.LazyExpr) if ok { v = lazy_v.Reduce() } @@ -214,8 +215,8 @@ func (self *ArtifactRepositoryPlugin) Call( // Create a mostly new scope for executing the new artifact but copy // over some important global variables. func (self *ArtifactRepositoryPlugin) copyScope( - scope *vfilter.Scope, my_name string) ( - *vfilter.Scope, error) { + scope vfilter.Scope, my_name string) ( + vfilter.Scope, error) { env := ordereddict.NewDict() for _, field := range []string{ vql_subsystem.ACL_MANAGER_VAR, @@ -262,7 +263,7 @@ func (self *ArtifactRepositoryPlugin) Name() string { } func (self *ArtifactRepositoryPlugin) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: self.Name(), Doc: "A pseudo plugin for accessing the artifacts repository from VQL.", @@ -302,7 +303,7 @@ func (self _ArtifactRepositoryPluginAssociativeProtocol) Applicable( } func (self _ArtifactRepositoryPluginAssociativeProtocol) GetMembers( - scope *vfilter.Scope, a vfilter.Any) []string { + scope vfilter.Scope, a vfilter.Any) []string { var result []string value := _getArtifactRepositoryPlugin(a) @@ -315,7 +316,7 @@ func (self _ArtifactRepositoryPluginAssociativeProtocol) GetMembers( } func (self _ArtifactRepositoryPluginAssociativeProtocol) Associative( - scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) (vfilter.Any, bool) { + scope vfilter.Scope, a vfilter.Any, b vfilter.Any) (vfilter.Any, bool) { value := _getArtifactRepositoryPlugin(a) if value == nil { diff --git a/services/repository/scope.go b/services/repository/scope.go index 4c45f8ad7d1..8d57057a3f5 100644 --- a/services/repository/scope.go +++ b/services/repository/scope.go @@ -5,12 +5,13 @@ import ( "github.com/Velocidex/ordereddict" "www.velocidex.com/golang/velociraptor/constants" + "www.velocidex.com/golang/velociraptor/json" "www.velocidex.com/golang/velociraptor/services" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" "www.velocidex.com/golang/vfilter" ) -func _build(wg *sync.WaitGroup, self services.ScopeBuilder, from_scratch bool) *vfilter.Scope { +func _build(wg *sync.WaitGroup, self services.ScopeBuilder, from_scratch bool) vfilter.Scope { env := ordereddict.NewDict() if self.Env != nil { env.MergeFrom(self.Env) @@ -46,7 +47,7 @@ func _build(wg *sync.WaitGroup, self services.ScopeBuilder, from_scratch bool) * env.Set(constants.SCOPE_UPLOADER, self.Uploader) } - var scope *vfilter.Scope + var scope vfilter.Scope if from_scratch { scope = vql_subsystem.MakeNewScope() } else { @@ -58,18 +59,23 @@ func _build(wg *sync.WaitGroup, self services.ScopeBuilder, from_scratch bool) * scope.AppendVars(env).AddProtocolImpl( _ArtifactRepositoryPluginAssociativeProtocol{}) - scope.Logger = self.Logger + scope.SetLogger(self.Logger) env.Set(constants.SCOPE_ROOT, scope) + scope.AddDestructor(func() { + scope.Log("Query Stats: %v", json.MustMarshalString( + scope.GetStats().Snapshot())) + }) + return scope } -func (self *RepositoryManager) BuildScope(builder services.ScopeBuilder) *vfilter.Scope { +func (self *RepositoryManager) BuildScope(builder services.ScopeBuilder) vfilter.Scope { return _build(self.wg, builder, false) } func (self *RepositoryManager) BuildScopeFromScratch( - builder services.ScopeBuilder) *vfilter.Scope { + builder services.ScopeBuilder) vfilter.Scope { return _build(self.wg, builder, true) } diff --git a/services/server_artifacts/server_uploader.go b/services/server_artifacts/server_uploader.go index 9414ec2006a..063f934c676 100644 --- a/services/server_artifacts/server_uploader.go +++ b/services/server_artifacts/server_uploader.go @@ -25,7 +25,7 @@ type ServerUploader struct { func (self *ServerUploader) Upload( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, filename string, accessor string, store_as_name string, diff --git a/services/vfs_service/utils.go b/services/vfs_service/utils.go index 49e9ecbf3da..d160a16545e 100644 --- a/services/vfs_service/utils.go +++ b/services/vfs_service/utils.go @@ -24,7 +24,7 @@ func watchForFlowCompletion( artifact_name string, handler func(ctx context.Context, config_obj *config_proto.Config, - scope *vfilter.Scope, row *ordereddict.Dict)) error { + scope vfilter.Scope, row *ordereddict.Dict)) error { journal, err := services.GetJournal() if err != nil { diff --git a/services/vfs_service/vfs_service.go b/services/vfs_service/vfs_service.go index 1533c93328c..fc2de10a64c 100644 --- a/services/vfs_service/vfs_service.go +++ b/services/vfs_service/vfs_service.go @@ -55,7 +55,7 @@ func (self *VFSService) Start( func (self *VFSService) ProcessDownloadFile( ctx context.Context, config_obj *config_proto.Config, - scope *vfilter.Scope, row *ordereddict.Dict) { + scope vfilter.Scope, row *ordereddict.Dict) { defer utils.CheckForPanic("ProcessDownloadFile") @@ -120,7 +120,7 @@ func (self *VFSService) ProcessDownloadFile( func (self *VFSService) ProcessListDirectory( ctx context.Context, config_obj *config_proto.Config, - scope *vfilter.Scope, row *ordereddict.Dict) { + scope vfilter.Scope, row *ordereddict.Dict) { client_id, _ := row.GetString("ClientId") flow_id, _ := row.GetString("FlowId") diff --git a/uploads/client_uploader.go b/uploads/client_uploader.go index 6d17a760002..69f756c412b 100644 --- a/uploads/client_uploader.go +++ b/uploads/client_uploader.go @@ -28,7 +28,7 @@ type VelociraptorUploader struct { func (self *VelociraptorUploader) Upload( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, filename string, accessor string, store_as_name string, @@ -118,7 +118,7 @@ func (self *VelociraptorUploader) Upload( func (self *VelociraptorUploader) maybeUploadSparse( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, filename string, accessor string, store_as_name string, diff --git a/uploads/file_based.go b/uploads/file_based.go index 4e02bcc38d5..985c0270a99 100644 --- a/uploads/file_based.go +++ b/uploads/file_based.go @@ -71,7 +71,7 @@ func (self *FileBasedUploader) sanitize_path(path string) string { func (self *FileBasedUploader) Upload( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, filename string, accessor string, store_as_name string, diff --git a/users/notifications.go b/users/notifications.go index 4f96ef8678f..15503ed6240 100644 --- a/users/notifications.go +++ b/users/notifications.go @@ -42,7 +42,7 @@ var ( type UserNotificationManager struct { writers map[string]*csv.CSVWriter config_obj *config_proto.Config - scope *vfilter.Scope + scope vfilter.Scope notification_channel chan *api_proto.UserNotification } diff --git a/utils/panic.go b/utils/panic.go index 642a6d944f2..5349a1e9c57 100644 --- a/utils/panic.go +++ b/utils/panic.go @@ -17,7 +17,7 @@ func CheckForPanic(msg string, vals ...interface{}) { } } -func RecoverVQL(scope *vfilter.Scope) { +func RecoverVQL(scope vfilter.Scope) { r := recover() if r != nil { scope.Log("PANIC: %v\n", r) diff --git a/utils/time.go b/utils/time.go index ac0bc8de14d..ee415a3bc7e 100644 --- a/utils/time.go +++ b/utils/time.go @@ -33,7 +33,7 @@ func (self TimeVal) Time() time.Time { return time.Unix(self.Sec, 0) } -func (self TimeVal) Materialize(ctx context.Context, scope *vfilter.Scope) vfilter.Any { +func (self TimeVal) Materialize(ctx context.Context, scope vfilter.Scope) vfilter.Any { res, _ := self.Time().UTC().MarshalText() return string(res) } diff --git a/utils/utils.go b/utils/utils.go index 4fbf76817df..32addd30fd0 100755 --- a/utils/utils.go +++ b/utils/utils.go @@ -29,6 +29,7 @@ import ( errors "github.com/pkg/errors" vjson "www.velocidex.com/golang/velociraptor/json" "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/types" ) func InString(hay []string, needle string) bool { @@ -70,7 +71,7 @@ func hard_wrap(text string, colBreak int) string { return wrapped } -func Stringify(value interface{}, scope *vfilter.Scope, min_width int) string { +func Stringify(value interface{}, scope vfilter.Scope, min_width int) string { // Deal with pointers to things as those things. if reflect.TypeOf(value).Kind() == reflect.Ptr { return Stringify(reflect.Indirect( @@ -113,7 +114,7 @@ func Stringify(value interface{}, scope *vfilter.Scope, min_width int) string { } return strings.Join(result, "\n") - case vfilter.StringProtocol: + case types.StringProtocol: return t.ToString(scope) case []byte: diff --git a/vql/acls.go b/vql/acls.go index ba717c646fe..7bd0808e122 100644 --- a/vql/acls.go +++ b/vql/acls.go @@ -83,7 +83,7 @@ func NewServerACLManager( // from within VQL so this is a safe assumption - if a user was to // override the ACL_MANAGER_VAR with something else this will lock // down the entire VQL ACL system and deny all permissions. -func CheckAccess(scope *vfilter.Scope, permissions ...acls.ACL_PERMISSION) error { +func CheckAccess(scope vfilter.Scope, permissions ...acls.ACL_PERMISSION) error { manager_any, pres := scope.Resolve(ACL_MANAGER_VAR) if !pres { return fmt.Errorf("Permission denied: %v", permissions) @@ -102,7 +102,7 @@ func CheckAccess(scope *vfilter.Scope, permissions ...acls.ACL_PERMISSION) error return nil } -func CheckFilesystemAccess(scope *vfilter.Scope, accessor string) error { +func CheckFilesystemAccess(scope vfilter.Scope, accessor string) error { switch accessor { // These accessor are OK to use at any time. @@ -120,7 +120,7 @@ func CheckFilesystemAccess(scope *vfilter.Scope, accessor string) error { } // Get the principal that is running the query if possible. -func GetPrincipal(scope *vfilter.Scope) string { +func GetPrincipal(scope vfilter.Scope) string { manager_any, pres := scope.Resolve(ACL_MANAGER_VAR) if !pres { return "" diff --git a/vql/common/cache.go b/vql/common/cache.go index b9234e85e1d..d8a48fd7f84 100644 --- a/vql/common/cache.go +++ b/vql/common/cache.go @@ -9,6 +9,8 @@ import ( "www.velocidex.com/golang/velociraptor/json" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" vfilter "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/arg_parser" + "www.velocidex.com/golang/vfilter/types" ) const ( @@ -19,8 +21,8 @@ type _CacheObj struct { mu sync.Mutex expires time.Time period time.Duration - expression vfilter.LazyExpr - scope *vfilter.Scope + expression types.LazyExpr + scope types.Scope ctx context.Context key string cache map[string]vfilter.Any @@ -55,7 +57,7 @@ func (self *_CacheObj) Materialize() { self.scope.Log("Materializing memoized query") self.cache = make(map[string]vfilter.Any) - stored_query := self.expression.ToStoredQuery(self.scope) + stored_query := arg_parser.ToStoredQuery(self.expression) for row_item := range stored_query.Eval(self.ctx, self.scope) { key, pres := self.scope.Associative(row_item, self.key) if pres { @@ -65,7 +67,7 @@ func (self *_CacheObj) Materialize() { } } -func NewCacheObj(ctx context.Context, scope *vfilter.Scope, key string) *_CacheObj { +func NewCacheObj(ctx context.Context, scope vfilter.Scope, key string) *_CacheObj { return &_CacheObj{ scope: scope, ctx: ctx, @@ -84,13 +86,13 @@ func (self _CacheAssociative) Applicable(a vfilter.Any, b vfilter.Any) bool { // Associate object a with key b func (self _CacheAssociative) Associative( - scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) (vfilter.Any, bool) { + scope vfilter.Scope, a vfilter.Any, b vfilter.Any) (vfilter.Any, bool) { cache_obj, ok := a.(*_CacheObj) if !ok { return vfilter.Null{}, false } - lazy_b, ok := b.(*vfilter.LazyExpr) + lazy_b, ok := b.(types.LazyExpr) if ok { b = lazy_b.ReduceWithScope(scope) } @@ -109,20 +111,20 @@ func (self _CacheAssociative) Associative( return res, true } -func (self _CacheAssociative) GetMembers(scope *vfilter.Scope, a vfilter.Any) []string { +func (self _CacheAssociative) GetMembers(scope vfilter.Scope, a vfilter.Any) []string { return nil } type _CacheFunctionArgs struct { - Func vfilter.LazyExpr `vfilter:"required,field=func,doc=A function to evaluate"` - Name string `vfilter:"optional,field=name,doc=The global name of this cache (needed when more than one)"` - Key string `vfilter:"required,field=key,doc=Cache key to use."` - Period int64 `vfilter:"optional,field=period,doc=The latest age of the cache."` + Func types.LazyExpr `vfilter:"required,field=func,doc=A function to evaluate"` + Name string `vfilter:"optional,field=name,doc=The global name of this cache (needed when more than one)"` + Key string `vfilter:"required,field=key,doc=Cache key to use."` + Period int64 `vfilter:"optional,field=period,doc=The latest age of the cache."` } type _CacheFunc struct{} -func (self _CacheFunc) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _CacheFunc) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "cache", Doc: "Creates a cache object", @@ -130,7 +132,7 @@ func (self _CacheFunc) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vf } } -func (self _CacheFunc) Call(ctx context.Context, scope *vfilter.Scope, +func (self _CacheFunc) Call(ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_CacheFunctionArgs{} @@ -169,14 +171,14 @@ func (self _CacheFunc) Call(ctx context.Context, scope *vfilter.Scope, } type _MemoizeFunctionArgs struct { - Query vfilter.LazyExpr `vfilter:"required,field=query,doc=Query to expand into memory"` - Key string `vfilter:"required,field=key,doc=The name of the column to use as a key."` - Period int64 `vfilter:"optional,field=period,doc=The latest age of the cache."` + Query types.LazyExpr `vfilter:"required,field=query,doc=Query to expand into memory"` + Key string `vfilter:"required,field=key,doc=The name of the column to use as a key."` + Period int64 `vfilter:"optional,field=period,doc=The latest age of the cache."` } type _MemoizeFunction struct{} -func (self _MemoizeFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _MemoizeFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "memoize", Doc: "Memoize a query into memory.", @@ -184,7 +186,7 @@ func (self _MemoizeFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMa } } -func (self _MemoizeFunction) Call(ctx context.Context, scope *vfilter.Scope, +func (self _MemoizeFunction) Call(ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_MemoizeFunctionArgs{} diff --git a/vql/common/clock.go b/vql/common/clock.go index 0b10fbbf377..221a731a71e 100644 --- a/vql/common/clock.go +++ b/vql/common/clock.go @@ -37,7 +37,7 @@ type ClockPlugin struct{} func (self ClockPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -90,7 +90,7 @@ func (self ClockPlugin) Call( return output_chan } -func (self ClockPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ClockPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "clock", Doc: "Generate a timestamp periodically. This is mostly " + diff --git a/vql/common/copy.go b/vql/common/copy.go index be02397d8cc..d06b4a64fa3 100644 --- a/vql/common/copy.go +++ b/vql/common/copy.go @@ -41,7 +41,7 @@ type CopyFunctionArgs struct { type CopyFunction struct{} func (self *CopyFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { // Check the config if we are allowed to execve at all. @@ -119,7 +119,7 @@ func (self *CopyFunction) Call(ctx context.Context, return arg.Destination } -func (self CopyFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self CopyFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "copy", Doc: "Copy a file.", diff --git a/vql/common/diff.go b/vql/common/diff.go index 858da9548f2..fda8c5211eb 100644 --- a/vql/common/diff.go +++ b/vql/common/diff.go @@ -62,7 +62,7 @@ type _DiffCache struct { done chan bool } -func (self *_DiffCache) Eval(ctx context.Context, scope *vfilter.Scope) []vfilter.Row { +func (self *_DiffCache) Eval(ctx context.Context, scope vfilter.Scope) []vfilter.Row { result := []vfilter.Row{} old_rows_map := self.rows self.rows = make(map[string][]*ordereddict.Dict) @@ -129,7 +129,7 @@ check_row: func NewDiffCache( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, period time.Duration, key string, stored_query vfilter.StoredQuery) *_DiffCache { @@ -155,7 +155,7 @@ type _DiffPluginArgs struct { type _DiffPlugin struct{} func (self _DiffPlugin) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -202,7 +202,7 @@ func (self _DiffPlugin) Call(ctx context.Context, } func (self _DiffPlugin) Info( - scope *vfilter.Scope, + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "diff", diff --git a/vql/common/env.go b/vql/common/env.go index 018f05e911e..039d1a3b47e 100644 --- a/vql/common/env.go +++ b/vql/common/env.go @@ -39,7 +39,7 @@ type EnvFunctionArgs struct { type EnvFunction struct{} func (self *EnvFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &EnvFunctionArgs{} @@ -58,7 +58,7 @@ func (self *EnvFunction) Call(ctx context.Context, return os.Getenv(arg.Var) } -func (self *EnvFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self *EnvFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "environ", Doc: "Get an environment variable.", @@ -72,7 +72,7 @@ func init() { vfilter.GenericListPlugin{ PluginName: "environ", Function: func( - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row diff --git a/vql/common/fifo.go b/vql/common/fifo.go index ec13f874d69..f6154e652cb 100644 --- a/vql/common/fifo.go +++ b/vql/common/fifo.go @@ -43,6 +43,7 @@ import ( "github.com/Velocidex/ordereddict" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" vfilter "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/types" ) type _FIFOCacheEntry struct { @@ -114,7 +115,7 @@ func (self *_FIFOCache) Push(row vfilter.Row) { func NewFIFOCache( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, max_time time.Duration, max_rows int64, stored_query vfilter.StoredQuery) *_FIFOCache { @@ -165,7 +166,7 @@ type _FIFOPluginArgs struct { type _FIFOPlugin struct{} func (self _FIFOPlugin) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -195,7 +196,7 @@ func (self _FIFOPlugin) Call(ctx context.Context, fifo_cache := vql_subsystem.CacheGet(scope, key) if fifo_cache == nil { scope.Log("Creating FIFO Cache for %v\n", - arg.Query.ToString(scope)) + types.ToString(arg.Query, scope)) fifo_cache = NewFIFOCache( ctx, scope, time.Duration(arg.MaxAge)*time.Second, @@ -225,7 +226,7 @@ func (self _FIFOPlugin) Call(ctx context.Context, } func (self _FIFOPlugin) Info( - scope *vfilter.Scope, + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "fifo", diff --git a/vql/common/for.go b/vql/common/for.go index be751323ec3..a2dc872993f 100644 --- a/vql/common/for.go +++ b/vql/common/for.go @@ -10,7 +10,7 @@ import ( type ForPluginArgs struct { Var string `vfilter:"required,field=var,doc=The variable to assign."` - Foreach vfilter.LazyExpr `vfilter:"required,field=foreach,doc=The variable to iterate over."` + Foreach vfilter.StoredQuery `vfilter:"required,field=foreach,doc=The variable to iterate over."` Query vfilter.StoredQuery `vfilter:"optional,field=query,doc=Run this query over the item."` } @@ -18,7 +18,7 @@ type ForPlugin struct{} func (self ForPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -35,8 +35,7 @@ func (self ForPlugin) Call( scope.Log("The for() plugin is deprecated. Please use foreach() instead.") // Force the in parameter to be a query. - stored_query := arg.Foreach.ToStoredQuery(scope) - for item := range stored_query.Eval(ctx, scope) { + for item := range arg.Foreach.Eval(ctx, scope) { // Evaluate the query on the new value new_scope := scope.Copy() new_scope.AppendVars(ordereddict.NewDict().Set( @@ -57,7 +56,7 @@ func (self ForPlugin) Call( return output_chan } -func (self ForPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ForPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "for", Doc: "Iterate over a list.", diff --git a/vql/common/items.go b/vql/common/items.go index 815bf762d07..d5fbcd6f43e 100644 --- a/vql/common/items.go +++ b/vql/common/items.go @@ -17,7 +17,7 @@ type ItemsPlugin struct{} func (self ItemsPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -76,7 +76,7 @@ func (self ItemsPlugin) Call( return output_chan } -func (self ItemsPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ItemsPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "items", Doc: "Enumerate all members of the item (similar to Pythons items() method.", diff --git a/vql/common/mail.go b/vql/common/mail.go index d7df354051f..fcc563ca09f 100644 --- a/vql/common/mail.go +++ b/vql/common/mail.go @@ -47,7 +47,7 @@ type MailPlugin struct{} func (self MailPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -133,7 +133,7 @@ func (self MailPlugin) Call( return output_chan } -func (self MailPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self MailPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "mail", Doc: "Send Email to a remote server.", diff --git a/vql/common/sampler.go b/vql/common/sampler.go index 7d50ab69274..cdfb28814af 100644 --- a/vql/common/sampler.go +++ b/vql/common/sampler.go @@ -16,7 +16,7 @@ type _SamplerPluginArgs struct { type _SamplerPlugin struct{} func (self _SamplerPlugin) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -51,7 +51,7 @@ func (self _SamplerPlugin) Call(ctx context.Context, } func (self _SamplerPlugin) Info( - scope *vfilter.Scope, + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "sample", diff --git a/vql/common/shell.go b/vql/common/shell.go index 574f8fcf301..f15fe74d18e 100644 --- a/vql/common/shell.go +++ b/vql/common/shell.go @@ -50,7 +50,7 @@ type ShellPlugin struct{} func (self ShellPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -290,7 +290,7 @@ func (self ShellPlugin) Call( return output_chan } -func (self ShellPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ShellPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "execve", Doc: "Execute the commands given by argv.", diff --git a/vql/common/switch.go b/vql/common/switch.go index a0c1a9d03ad..247f406d555 100644 --- a/vql/common/switch.go +++ b/vql/common/switch.go @@ -6,12 +6,13 @@ import ( "github.com/Velocidex/ordereddict" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" vfilter "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/arg_parser" ) type _SwitchPlugin struct{} func (self _SwitchPlugin) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -22,19 +23,10 @@ func (self _SwitchPlugin) Call(ctx context.Context, members := scope.GetMembers(args) for _, member := range members { - member_obj, _ := args.Get(member) - lazy_v, ok := member_obj.(vfilter.LazyExpr) - if ok { - member_obj = lazy_v.ToStoredQuery(scope) + v, pres := args.Get(member) + if pres { + queries = append(queries, arg_parser.ToStoredQuery(v)) } - - query, ok := member_obj.(vfilter.StoredQuery) - if !ok { - scope.Log("Parameter " + member + - " should be a query") - return - } - queries = append(queries, query) } // Evaluate each query - the first query that returns @@ -64,7 +56,7 @@ func (self _SwitchPlugin) Call(ctx context.Context, } func (self _SwitchPlugin) Info( - scope *vfilter.Scope, + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "switch", diff --git a/vql/common/yara.go b/vql/common/yara.go index 5ecd0e11da4..d4d28a281f3 100644 --- a/vql/common/yara.go +++ b/vql/common/yara.go @@ -71,7 +71,7 @@ type YaraScanPlugin struct{} func (self YaraScanPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -139,7 +139,7 @@ func (self YaraScanPlugin) Call( // to recompile the rules all the time. We use the key as the cache or // the hash of the rules string if not provided. func getYaraRules(key, rules string, - scope *vfilter.Scope) (*yara.Rules, error) { + scope vfilter.Scope) (*yara.Rules, error) { // Try to get the compiled yara expression from the // scope cache. @@ -182,7 +182,7 @@ func scanFileByAccessor( total_number_of_hits int64, rules *yara.Rules, output_chan chan vfilter.Row, - scope *vfilter.Scope) { + scope vfilter.Scope) { accessor, err := glob.GetAccessor(accessor_name, scope) if err != nil { @@ -253,7 +253,7 @@ func scanFile( total_number_of_hits int64, rules *yara.Rules, output_chan chan vfilter.Row, - scope *vfilter.Scope) error { + scope vfilter.Scope) error { yara_flag := yara.ScanFlags(0) if total_number_of_hits == 1 { @@ -394,7 +394,7 @@ func getMatchStrings(r *yara.Rule) (matchstrings []yara.MatchString) { } func (self YaraScanPlugin) Info( - scope *vfilter.Scope, + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "yara", @@ -413,7 +413,7 @@ type YaraProcPluginArgs struct { type YaraProcPlugin struct{} func (self YaraProcPlugin) Info( - scope *vfilter.Scope, + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "proc_yara", @@ -424,7 +424,7 @@ func (self YaraProcPlugin) Info( func (self YaraProcPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -480,7 +480,7 @@ func (self YaraProcPlugin) Call( } // Provide a shortcut way to define common rules. -func RuleGenerator(scope *vfilter.Scope, rule string) string { +func RuleGenerator(scope vfilter.Scope, rule string) string { rule = strings.TrimSpace(rule) // Just a normal yara rule diff --git a/vql/filesystem/filesystem.go b/vql/filesystem/filesystem.go index 69a5e0279a0..ee8e1cc3fd4 100644 --- a/vql/filesystem/filesystem.go +++ b/vql/filesystem/filesystem.go @@ -40,7 +40,7 @@ type GlobPlugin struct{} func (self GlobPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { globber := make(glob.Globber) output_chan := make(chan vfilter.Row) @@ -117,7 +117,7 @@ func (self GlobPlugin) Call( return output_chan } -func (self GlobPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self GlobPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "glob", Doc: "Retrieve files based on a list of glob expressions", @@ -143,7 +143,7 @@ type ReadFilePlugin struct{} func (self ReadFilePlugin) processFile( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, arg *ReadFileArgs, accessor glob.FileSystemAccessor, file string, @@ -193,7 +193,7 @@ func (self ReadFilePlugin) processFile( func (self ReadFilePlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -238,7 +238,7 @@ func (self ReadFilePlugin) Name() string { return "read_file" } -func (self ReadFilePlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ReadFilePlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "read_file", Doc: "Read files in chunks.", @@ -255,7 +255,7 @@ type ReadFileFunctionArgs struct { type ReadFileFunction struct{} func (self *ReadFileFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &ReadFileFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -293,7 +293,7 @@ func (self *ReadFileFunction) Call(ctx context.Context, return string(buf[:n]) } -func (self ReadFileFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self ReadFileFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "read_file", Doc: "Read a file into a string.", @@ -310,7 +310,7 @@ type StatPlugin struct{} func (self *StatPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -355,7 +355,7 @@ func (self StatPlugin) Name() string { return "stat" } -func (self StatPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self StatPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "stat", Doc: "Get file information. Unlike glob() this does not support wildcards.", @@ -370,7 +370,7 @@ func init() { vfilter.GenericListPlugin{ PluginName: "filesystems", Function: func( - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row partitions, err := disk.Partitions(true) diff --git a/vql/filesystem/filesystems.go b/vql/filesystem/filesystems.go index e5542adf4c5..50f26320bae 100644 --- a/vql/filesystem/filesystems.go +++ b/vql/filesystem/filesystems.go @@ -52,7 +52,7 @@ func init() { &vfilter.GenericListPlugin{ PluginName: "partitions", Function: func( - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row diff --git a/vql/filesystem/grep.go b/vql/filesystem/grep.go index 4e8a18650f0..ddb3836d5f8 100644 --- a/vql/filesystem/grep.go +++ b/vql/filesystem/grep.go @@ -49,7 +49,7 @@ type GrepFunction struct{} // The Grep VQL function searches for a literal or regex match inside the file func (self *GrepFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &GrepFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -138,7 +138,7 @@ func (self *GrepFunction) Call(ctx context.Context, } } -func (self GrepFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self GrepFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "grep", Doc: "Search a file for keywords.", diff --git a/vql/filesystem/gzip.go b/vql/filesystem/gzip.go index 02d6aa1b17e..fabc8e29c51 100644 --- a/vql/filesystem/gzip.go +++ b/vql/filesystem/gzip.go @@ -114,7 +114,7 @@ func (self *GzipFileInfo) GetLink() (string, error) { } type GzipFileSystemAccessor struct { - scope *vfilter.Scope + scope vfilter.Scope getter FileGetter } @@ -179,7 +179,7 @@ func (self *GzipFileSystemAccessor) ReadDir(file_path string) ([]glob.FileInfo, return nil, nil } -func (self GzipFileSystemAccessor) New(scope *vfilter.Scope) (glob.FileSystemAccessor, error) { +func (self GzipFileSystemAccessor) New(scope vfilter.Scope) (glob.FileSystemAccessor, error) { return &GzipFileSystemAccessor{ scope: scope, getter: self.getter}, nil } @@ -220,10 +220,10 @@ func (self *SeekableGzip) Stat() (os.FileInfo, error) { } // Any getter that implements this can be used -type FileGetter func(file_path string, scope *vfilter.Scope) ( +type FileGetter func(file_path string, scope vfilter.Scope) ( *SeekableGzip, error) -func GetBzip2File(file_path string, scope *vfilter.Scope) (*SeekableGzip, error) { +func GetBzip2File(file_path string, scope vfilter.Scope) (*SeekableGzip, error) { url, err := url.Parse(file_path) if err != nil { return nil, err @@ -255,7 +255,7 @@ func GetBzip2File(file_path string, scope *vfilter.Scope) (*SeekableGzip, error) }}, nil } -func GetGzipFile(file_path string, scope *vfilter.Scope) (*SeekableGzip, error) { +func GetGzipFile(file_path string, scope vfilter.Scope) (*SeekableGzip, error) { url, err := url.Parse(file_path) if err != nil { return nil, err diff --git a/vql/filesystem/me.go b/vql/filesystem/me.go index 8835b04d2c9..4ac3dfeafa4 100644 --- a/vql/filesystem/me.go +++ b/vql/filesystem/me.go @@ -135,7 +135,7 @@ func (self MEFileSystemAccessor) PathJoin(root, stem string) string { return path.Join(root, stem) } -func (self MEFileSystemAccessor) New(scope *vfilter.Scope) (glob.FileSystemAccessor, error) { +func (self MEFileSystemAccessor) New(scope vfilter.Scope) (glob.FileSystemAccessor, error) { base, err := (&ZipFileSystemAccessor{}).New(scope) if err != nil { return nil, err diff --git a/vql/filesystem/raw_registry.go b/vql/filesystem/raw_registry.go index d269f07a994..44d81aa4708 100644 --- a/vql/filesystem/raw_registry.go +++ b/vql/filesystem/raw_registry.go @@ -197,7 +197,7 @@ type RawRegistryFileCache struct { type RawRegFileSystemAccessor struct { mu sync.Mutex fd_cache map[string]*RawRegistryFileCache - scope *vfilter.Scope + scope vfilter.Scope } func (self *RawRegFileSystemAccessor) getRegHive( @@ -248,7 +248,7 @@ func (self *RawRegFileSystemAccessor) getRegHive( const RawRegFileSystemTag = "_RawReg" -func (self *RawRegFileSystemAccessor) New(scope *vfilter.Scope) ( +func (self *RawRegFileSystemAccessor) New(scope vfilter.Scope) ( glob.FileSystemAccessor, error) { result_any := vql_subsystem.CacheGet(scope, RawRegFileSystemTag) @@ -362,7 +362,7 @@ type ReadKeyValues struct{} func (self ReadKeyValues) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { globber := make(glob.Globber) output_chan := make(chan vfilter.Row) @@ -462,7 +462,7 @@ func (self ReadKeyValues) Call( return output_chan } -func (self ReadKeyValues) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ReadKeyValues) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "read_reg_key", Doc: "This is a convenience function for reading the entire " + diff --git a/vql/filesystem/tempfile.go b/vql/filesystem/tempfile.go index 922cedbe3f5..768742e1e3b 100644 --- a/vql/filesystem/tempfile.go +++ b/vql/filesystem/tempfile.go @@ -40,7 +40,7 @@ type _TempfileRequest struct { type TempfileFunction struct{} func (self *TempfileFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.FILESYSTEM_WRITE) @@ -116,7 +116,7 @@ func (self *TempfileFunction) Call(ctx context.Context, return tmpfile.Name() } -func (self TempfileFunction) Info(scope *vfilter.Scope, +func (self TempfileFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "tempfile", @@ -132,7 +132,7 @@ type _TempdirRequest struct { type TempdirFunction struct{} func (self *TempdirFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.FILESYSTEM_WRITE) @@ -179,7 +179,7 @@ func (self *TempdirFunction) Call(ctx context.Context, return dir } -func (self TempdirFunction) Info(scope *vfilter.Scope, +func (self TempdirFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "tempdir", diff --git a/vql/filesystem/zip.go b/vql/filesystem/zip.go index 2a5a0a74249..10c3bf42967 100644 --- a/vql/filesystem/zip.go +++ b/vql/filesystem/zip.go @@ -254,7 +254,7 @@ func (self *ZipFileCache) Close() { type ZipFileSystemAccessor struct { mu sync.Mutex fd_cache map[string]*ZipFileCache - scope *vfilter.Scope + scope vfilter.Scope } func (self *ZipFileSystemAccessor) GetZipFile( @@ -434,7 +434,7 @@ const ( ZipFileSystemAccessorTag = "_ZipFS" ) -func (self *ZipFileSystemAccessor) New(scope *vfilter.Scope) (glob.FileSystemAccessor, error) { +func (self *ZipFileSystemAccessor) New(scope vfilter.Scope) (glob.FileSystemAccessor, error) { result_any := vql_subsystem.CacheGet(scope, ZipFileSystemAccessorTag) if result_any == nil { // Create a new cache in the scope. diff --git a/vql/functions/dict.go b/vql/functions/dict.go index 6701eba10fb..8e1ec51dfab 100644 --- a/vql/functions/dict.go +++ b/vql/functions/dict.go @@ -16,7 +16,7 @@ type _ToDictFunctionArgs struct { // e.g. dict(foo=5, bar=6) type _ToDictFunc struct{} -func (self _ToDictFunc) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _ToDictFunc) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "to_dict", Doc: "Construct a dict from another object. If items is a query use _key and _value columns to set the dict's keys and values.", @@ -24,7 +24,7 @@ func (self _ToDictFunc) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *v } } -func (self _ToDictFunc) Call(ctx context.Context, scope *vfilter.Scope, +func (self _ToDictFunc) Call(ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_ToDictFunctionArgs{} @@ -60,7 +60,7 @@ func (self _ToDictFunc) Call(ctx context.Context, scope *vfilter.Scope, type _ItemsFunc struct{} -func (self _ItemsFunc) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _ItemsFunc) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "items", Doc: "Iterate over dict members producing _key and _value columns", @@ -68,7 +68,7 @@ func (self _ItemsFunc) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vf } } -func (self _ItemsFunc) Call(ctx context.Context, scope *vfilter.Scope, +func (self _ItemsFunc) Call(ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_ToDictFunctionArgs{} diff --git a/vql/functions/encode.go b/vql/functions/encode.go index 4f60934df40..85e239e8c58 100644 --- a/vql/functions/encode.go +++ b/vql/functions/encode.go @@ -10,6 +10,7 @@ import ( "www.velocidex.com/golang/velociraptor/json" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/types" ) type EncodeFunctionArgs struct { @@ -20,7 +21,7 @@ type EncodeFunctionArgs struct { type EncodeFunction struct{} func (self *EncodeFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &EncodeFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -31,10 +32,10 @@ func (self *EncodeFunction) Call(ctx context.Context, result := arg.Item switch t := result.(type) { - case vfilter.LazyExpr: + case types.LazyExpr: result = t.Reduce() - case vfilter.StoredQuery: + case types.StoredQuery: result_rows := []vfilter.Row{} for row := range t.Eval(ctx, scope) { result_rows = append(result_rows, row) @@ -78,7 +79,7 @@ func (self *EncodeFunction) Call(ctx context.Context, return vfilter.Null{} } -func (self EncodeFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self EncodeFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "serialize", Doc: "Encode an object as a string (csv or json).", diff --git a/vql/functions/expand.go b/vql/functions/expand.go index f0031cbfb61..fd9741ffc70 100644 --- a/vql/functions/expand.go +++ b/vql/functions/expand.go @@ -23,7 +23,7 @@ type _ExpandPath struct{} func (self _ExpandPath) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.MACHINE_STATE) @@ -42,7 +42,7 @@ func (self _ExpandPath) Call( return os.ExpandEnv(arg.Path) } -func (self _ExpandPath) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _ExpandPath) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "expand", Doc: "Expand the path using the environment.", diff --git a/vql/functions/format.go b/vql/functions/format.go index 220c015a71d..03bedb0d1eb 100644 --- a/vql/functions/format.go +++ b/vql/functions/format.go @@ -35,7 +35,7 @@ type FormatArgs struct { type FormatFunction struct{} func (self *FormatFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &FormatArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -62,7 +62,7 @@ func (self *FormatFunction) Call(ctx context.Context, return fmt.Sprintf(arg.Format, format_args...) } -func (self FormatFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self FormatFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "format", Doc: "Format one or more items according to a format string.", diff --git a/vql/functions/functions.go b/vql/functions/functions.go index ab03ea1321a..fd9e82aa76f 100644 --- a/vql/functions/functions.go +++ b/vql/functions/functions.go @@ -41,7 +41,7 @@ type _Base64Decode struct{} func (self _Base64Decode) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_Base64DecodeArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -57,7 +57,7 @@ func (self _Base64Decode) Call( return string(result) } -func (self _Base64Decode) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _Base64Decode) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "base64decode", ArgType: type_map.AddType(scope, &_Base64DecodeArgs{}), @@ -72,7 +72,7 @@ type _Base64Encode struct{} func (self _Base64Encode) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_Base64EncodeArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -86,7 +86,7 @@ func (self _Base64Encode) Call( return string(result) } -func (self _Base64Encode) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _Base64Encode) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "base64encode", ArgType: type_map.AddType(scope, &_Base64EncodeArgs{}), @@ -101,7 +101,7 @@ type _ToLower struct{} func (self _ToLower) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_ToLowerArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -113,7 +113,7 @@ func (self _ToLower) Call( return strings.ToLower(arg.String) } -func (self _ToLower) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _ToLower) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "lowcase", ArgType: type_map.AddType(scope, &_ToLowerArgs{}), @@ -124,7 +124,7 @@ type _ToUpper struct{} func (self _ToUpper) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_ToLowerArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -136,7 +136,7 @@ func (self _ToUpper) Call( return strings.ToUpper(arg.String) } -func (self _ToUpper) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _ToUpper) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "upcase", ArgType: type_map.AddType(scope, &_ToLowerArgs{}), @@ -151,7 +151,7 @@ type _ToInt struct{} func (self _ToInt) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_ToIntArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -171,7 +171,7 @@ func (self _ToInt) Call( } } -func (self _ToInt) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _ToInt) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "atoi", Doc: "Convert a string to an int.", @@ -183,7 +183,7 @@ type _ParseFloat struct{} func (self _ParseFloat) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_ToIntArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -215,7 +215,7 @@ func (self _ParseFloat) Call( } } -func (self _ParseFloat) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _ParseFloat) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "parse_float", Doc: "Convert a string to a float.", @@ -227,12 +227,12 @@ type _Now struct{} func (self _Now) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { return time.Now().Unix() } -func (self _Now) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _Now) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "now", Doc: "Returns current time in seconds since epoch.", @@ -244,7 +244,7 @@ type _UTF16 struct{} func (self _UTF16) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_Base64DecodeArgs{} @@ -263,7 +263,7 @@ func (self _UTF16) Call( return string(utf16.Decode(ints)) } -func (self _UTF16) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _UTF16) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "utf16", Doc: "Parse input from utf16.", @@ -275,7 +275,7 @@ type _UTF16Encode struct{} func (self _UTF16Encode) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_Base64EncodeArgs{} @@ -296,7 +296,7 @@ func (self _UTF16Encode) Call( return buf.String() } -func (self _UTF16Encode) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _UTF16Encode) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "utf16_encode", Doc: "Encode a string to utf16 bytes.", @@ -308,13 +308,13 @@ type _Scope struct{} func (self _Scope) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { return scope } -func (self _Scope) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _Scope) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "scope", Doc: "return the scope.", @@ -330,7 +330,7 @@ type _GetFunctionArgs struct { type _GetFunction struct{} -func (self _GetFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _GetFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "get", Doc: "Gets the member field from item.", @@ -340,7 +340,7 @@ func (self _GetFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) * func (self _GetFunction) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_GetFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) diff --git a/vql/functions/hash.go b/vql/functions/hash.go index 830a7b692de..f35338a3092 100644 --- a/vql/functions/hash.go +++ b/vql/functions/hash.go @@ -61,7 +61,7 @@ type HashFunctionArgs struct { type HashFunction struct{} func (self *HashFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &HashFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -139,7 +139,7 @@ func (self *HashFunction) Call(ctx context.Context, } } -func (self HashFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self HashFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "hash", Doc: "Calculate the hash of a file.", diff --git a/vql/functions/humanize.go b/vql/functions/humanize.go index 0e700d049cb..56fd6c9f2fa 100644 --- a/vql/functions/humanize.go +++ b/vql/functions/humanize.go @@ -34,7 +34,7 @@ type HumanizeArgs struct { type HumanizeFunction struct{} func (self *HumanizeFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &HumanizeArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -50,7 +50,7 @@ func (self *HumanizeFunction) Call(ctx context.Context, return fmt.Sprintf("%v", arg.Bytes) } -func (self HumanizeFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self HumanizeFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "humanize", Doc: "Format items in human readable way.", diff --git a/vql/functions/ints.go b/vql/functions/ints.go index c2d8ae82e54..fd76157624e 100644 --- a/vql/functions/ints.go +++ b/vql/functions/ints.go @@ -34,7 +34,7 @@ type IntArgs struct { type IntFunction struct{} func (self *IntFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &IntArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -68,7 +68,7 @@ func (self *IntFunction) Call(ctx context.Context, return 0 } -func (self IntFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self IntFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "int", Doc: "Truncate to an integer.", @@ -83,7 +83,7 @@ type StrFunctionArgs struct { type StrFunction struct{} func (self *StrFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &StrFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -104,7 +104,7 @@ func (self *StrFunction) Call(ctx context.Context, } } -func (self StrFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self StrFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "str", Doc: "Normalize a String.", diff --git a/vql/functions/lists.go b/vql/functions/lists.go index e25e26e10c5..f87e9a6b334 100644 --- a/vql/functions/lists.go +++ b/vql/functions/lists.go @@ -26,11 +26,12 @@ import ( "github.com/Velocidex/ordereddict" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/types" ) type ArrayFunction struct{} -func flatten(ctx context.Context, scope *vfilter.Scope, a vfilter.Any, depth int) []vfilter.Any { +func flatten(ctx context.Context, scope vfilter.Scope, a vfilter.Any, depth int) []vfilter.Any { var result []vfilter.Any if depth > 4 { @@ -38,10 +39,10 @@ func flatten(ctx context.Context, scope *vfilter.Scope, a vfilter.Any, depth int } switch t := a.(type) { - case vfilter.LazyExpr: + case types.LazyExpr: a = t.Reduce() - case vfilter.StoredQuery: + case types.StoredQuery: for row := range t.Eval(ctx, scope) { // Special case a single column means the // value is taken directly. @@ -85,12 +86,12 @@ func flatten(ctx context.Context, scope *vfilter.Scope, a vfilter.Any, depth int } func (self *ArrayFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { return flatten(ctx, scope, args, 0) } -func (self ArrayFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self ArrayFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "array", Doc: "Create an array with all the args.", @@ -105,7 +106,7 @@ type JoinFunctionArgs struct { type JoinFunction struct{} func (self *JoinFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &JoinFunctionArgs{} @@ -122,7 +123,7 @@ func (self *JoinFunction) Call(ctx context.Context, return strings.Join(arg.Array, arg.Sep) } -func (self JoinFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self JoinFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "join", Doc: "Join all the args on a separator.", @@ -137,7 +138,7 @@ type FilterFunctionArgs struct { type FilterFunction struct{} func (self *FilterFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &FilterFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -168,7 +169,7 @@ func (self *FilterFunction) Call(ctx context.Context, return result } -func (self FilterFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self FilterFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "filter", Doc: "Filters a strings array by regex.", @@ -182,7 +183,7 @@ type LenFunctionArgs struct { type LenFunction struct{} func (self *LenFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &LenFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -209,7 +210,7 @@ func (self *LenFunction) Call(ctx context.Context, return 0 } -func (self LenFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self LenFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "len", Doc: "Returns the length of an object.", diff --git a/vql/functions/log.go b/vql/functions/log.go index 704b2dbf91c..5376c37e330 100644 --- a/vql/functions/log.go +++ b/vql/functions/log.go @@ -32,7 +32,7 @@ type LogFunctionArgs struct { type LogFunction struct{} func (self *LogFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &LogFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -41,9 +41,12 @@ func (self *LogFunction) Call(ctx context.Context, return false } - last_log, ok := scope.GetContext("last_log").(string) - if ok && arg.Message == last_log { - return true + last_log_str, ok := scope.GetContext("last_log") + if ok { + last_log, ok := last_log_str.(string) + if ok && arg.Message == last_log { + return true + } } scope.Log("%v", arg.Message) @@ -52,7 +55,7 @@ func (self *LogFunction) Call(ctx context.Context, return true } -func (self LogFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self LogFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "log", Doc: "Log the message.", diff --git a/vql/functions/networks.go b/vql/functions/networks.go index aec77d05dd5..b5eb24c852f 100644 --- a/vql/functions/networks.go +++ b/vql/functions/networks.go @@ -34,7 +34,7 @@ type IpArgs struct { type IpFunction struct{} func (self *IpFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &IpArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -62,7 +62,7 @@ func (self *IpFunction) Call(ctx context.Context, } } -func (self IpFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self IpFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "ip", Doc: "Format an IP address.", diff --git a/vql/functions/patch.go b/vql/functions/patch.go index d8c411c8c3e..886b9992d80 100644 --- a/vql/functions/patch.go +++ b/vql/functions/patch.go @@ -18,7 +18,7 @@ type PatchFunctionArgs struct { type PatchFunction struct{} -func (self PatchFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self PatchFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "patch", Doc: "Patch a JSON object with a json patch.", @@ -41,7 +41,7 @@ func to_json(item vfilter.Any) ([]byte, error) { func (self *PatchFunction) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &PatchFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) diff --git a/vql/functions/paths.go b/vql/functions/paths.go index 80a824a69cf..4d1caddf612 100644 --- a/vql/functions/paths.go +++ b/vql/functions/paths.go @@ -34,7 +34,7 @@ type DirnameArgs struct { type DirnameFunction struct{} func (self *DirnameFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &DirnameArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -51,7 +51,7 @@ func (self *DirnameFunction) Call(ctx context.Context, return vfilter.Null{} } -func (self DirnameFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self DirnameFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "dirname", Doc: "Return the directory path.", @@ -62,7 +62,7 @@ func (self DirnameFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap type BasenameFunction struct{} func (self *BasenameFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &DirnameArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -79,7 +79,7 @@ func (self *BasenameFunction) Call(ctx context.Context, return vfilter.Null{} } -func (self BasenameFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self BasenameFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "basename", Doc: "Return the basename of the path.", @@ -94,7 +94,7 @@ type PathJoinArgs struct { type PathJoinFunction struct{} func (self *PathJoinFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &PathJoinArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -117,7 +117,7 @@ func (self *PathJoinFunction) Call(ctx context.Context, return result } -func (self PathJoinFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self PathJoinFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "path_join", Doc: "Build a path by joining all components.", @@ -132,7 +132,7 @@ type PathSplitArgs struct { type PathSplitFunction struct{} func (self *PathSplitFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &PathSplitArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -144,7 +144,7 @@ func (self *PathSplitFunction) Call(ctx context.Context, return utils.SplitComponents(arg.Path) } -func (self PathSplitFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self PathSplitFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "path_split", Doc: "Split a path into components. Note this is more complex than just split() because it takes into account path escaping.", diff --git a/vql/functions/pid.go b/vql/functions/pid.go index 142ff74027b..c5718adf0ab 100644 --- a/vql/functions/pid.go +++ b/vql/functions/pid.go @@ -30,7 +30,7 @@ import ( type GetPidFunction struct{} func (self *GetPidFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.MACHINE_STATE) @@ -42,7 +42,7 @@ func (self *GetPidFunction) Call(ctx context.Context, return os.Getpid() } -func (self GetPidFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self GetPidFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "getpid", Doc: "Returns the current pid of the process.", diff --git a/vql/functions/rot13.go b/vql/functions/rot13.go index de49ff13be6..bb5495e3d43 100644 --- a/vql/functions/rot13.go +++ b/vql/functions/rot13.go @@ -32,7 +32,7 @@ type Rot13Args struct { type Rot13 struct{} func (self *Rot13) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &Rot13Args{} err := vfilter.ExtractArgs(scope, args, arg) @@ -66,7 +66,7 @@ func rot13(in []byte) []byte { return result } -func (self Rot13) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self Rot13) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "rot13", Doc: "Apply rot13 deobfuscation to the string.", diff --git a/vql/functions/sleep.go b/vql/functions/sleep.go index 1ebaf88eda9..fbd23bf00c1 100644 --- a/vql/functions/sleep.go +++ b/vql/functions/sleep.go @@ -17,7 +17,7 @@ type SleepArgs struct { type SleepFunction struct{} func (self *SleepFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &SleepArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -38,7 +38,7 @@ func (self *SleepFunction) Call(ctx context.Context, return true } -func (self *SleepFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self *SleepFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "sleep", Doc: "Sleep for the specified number of seconds. Always returns true.", @@ -53,7 +53,7 @@ type RandArgs struct { type RandFunction struct{} func (self *RandFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &RandArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -69,7 +69,7 @@ func (self *RandFunction) Call(ctx context.Context, return rand.Intn(int(arg.Range)) } -func (self RandFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self RandFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "rand", Doc: "Selects a random number.", diff --git a/vql/functions/strings.go b/vql/functions/strings.go index a18f32b1194..dbbb761f054 100644 --- a/vql/functions/strings.go +++ b/vql/functions/strings.go @@ -34,7 +34,7 @@ type StripArgs struct { type StripFunction struct{} func (self *StripFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &StripArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -48,7 +48,7 @@ func (self *StripFunction) Call(ctx context.Context, return strings.TrimPrefix(arg.String, arg.Prefix) } -func (self StripFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self StripFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "strip", Doc: "Strip a prefix from a string.", diff --git a/vql/functions/time.go b/vql/functions/time.go index c7a10699e19..d4d8bf015cc 100644 --- a/vql/functions/time.go +++ b/vql/functions/time.go @@ -36,7 +36,7 @@ type _TimestampArg struct { type _Timestamp struct{} -func (self _Timestamp) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _Timestamp) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "timestamp", Doc: "Convert from different types to a time.Time.", @@ -44,7 +44,7 @@ func (self _Timestamp) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vf } } -func (self _Timestamp) Call(ctx context.Context, scope *vfilter.Scope, +func (self _Timestamp) Call(ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_TimestampArg{} err := vfilter.ExtractArgs(scope, args, arg) @@ -77,7 +77,7 @@ func (self _Timestamp) Call(ctx context.Context, scope *vfilter.Scope, return result } -func TimeFromAny(scope *vfilter.Scope, timestamp vfilter.Any) (time.Time, error) { +func TimeFromAny(scope vfilter.Scope, timestamp vfilter.Any) (time.Time, error) { sec := int64(0) dec := int64(0) switch t := timestamp.(type) { @@ -113,7 +113,7 @@ func TimeFromAny(scope *vfilter.Scope, timestamp vfilter.Any) (time.Time, error) return time.Unix(int64(sec), int64(dec)), nil } -func parse_time_from_string(scope *vfilter.Scope, timestamp string) ( +func parse_time_from_string(scope vfilter.Scope, timestamp string) ( time.Time, error) { time_value_any, pres := lru.Get(timestamp) if pres { @@ -132,7 +132,8 @@ func parse_time_from_string(scope *vfilter.Scope, timestamp string) ( // Time aware operators. type _TimeLt struct{} -func (self _TimeLt) Lt(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { +// a < b +func (self _TimeLt) Lt(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { a_time, _ := utils.IsTime(a) b_time, _ := utils.IsTime(b) @@ -146,9 +147,26 @@ func (self _TimeLt) Applicable(a vfilter.Any, b vfilter.Any) bool { return a_ok && b_ok } +type _TimeGt struct{} + +// a > b +func (self _TimeGt) Gt(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { + a_time, _ := utils.IsTime(a) + b_time, _ := utils.IsTime(b) + + return a_time.After(b_time) +} + +func (self _TimeGt) Applicable(a vfilter.Any, b vfilter.Any) bool { + _, a_ok := utils.IsTime(a) + _, b_ok := utils.IsTime(b) + + return a_ok && b_ok +} + type _TimeLtInt struct{} -func (self _TimeLtInt) Lt(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { +func (self _TimeLtInt) Lt(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { a_time, _ := utils.IsTime(a) var b_time time.Time @@ -175,9 +193,38 @@ func (self _TimeLtInt) Applicable(a vfilter.Any, b vfilter.Any) bool { return ok } +type _TimeGtInt struct{} + +func (self _TimeGtInt) Gt(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { + a_time, _ := utils.IsTime(a) + var b_time time.Time + + switch t := b.(type) { + case float64: + sec_f, dec_f := math.Modf(t) + dec_f *= 1e9 + b_time = time.Unix(int64(sec_f), int64(dec_f)) + default: + sec, _ := utils.ToInt64(b) + b_time = time.Unix(sec, 0) + } + + return a_time.After(b_time) +} + +func (self _TimeGtInt) Applicable(a vfilter.Any, b vfilter.Any) bool { + _, a_ok := utils.IsTime(a) + if !a_ok { + return false + } + + _, ok := utils.ToInt64(b) + return ok +} + type _TimeLtString struct{} -func (self _TimeLtString) Lt(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { +func (self _TimeLtString) Lt(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { a_time, _ := utils.IsTime(a) b_str, _ := b.(string) var b_time time.Time @@ -207,9 +254,41 @@ func (self _TimeLtString) Applicable(a vfilter.Any, b vfilter.Any) bool { return a_ok && b_ok } +type _TimeGtString struct{} + +func (self _TimeGtString) Gt(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { + a_time, _ := utils.IsTime(a) + b_str, _ := b.(string) + var b_time time.Time + + time_value_any, pres := lru.Get(b_str) + if pres { + b_time = time_value_any.(cachedTime).Time + + } else { + parser := dateparser.Parser{Fuzzy: true, + DayFirst: true, + IgnoreTZ: true} + b_time_time, err := parser.Parse(b_str) + if err == nil { + b_time = b_time_time + lru.Set(b_str, cachedTime{b_time}) + } + } + + return a_time.After(b_time) +} + +func (self _TimeGtString) Applicable(a vfilter.Any, b vfilter.Any) bool { + _, a_ok := utils.IsTime(a) + _, b_ok := b.(string) + + return a_ok && b_ok +} + type _TimeEq struct{} -func (self _TimeEq) Eq(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { +func (self _TimeEq) Eq(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { a_time, _ := utils.IsTime(a) b_time, _ := utils.IsTime(b) @@ -225,7 +304,7 @@ func (self _TimeEq) Applicable(a vfilter.Any, b vfilter.Any) bool { type _TimeEqInt struct{} -func (self _TimeEqInt) Eq(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { +func (self _TimeEqInt) Eq(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { a_time, _ := utils.IsTime(a) var b_time time.Time @@ -255,8 +334,11 @@ func (self _TimeEqInt) Applicable(a vfilter.Any, b vfilter.Any) bool { func init() { vql_subsystem.RegisterFunction(&_Timestamp{}) vql_subsystem.RegisterProtocol(&_TimeLt{}) + vql_subsystem.RegisterProtocol(&_TimeGt{}) vql_subsystem.RegisterProtocol(&_TimeLtInt{}) + vql_subsystem.RegisterProtocol(&_TimeGtInt{}) vql_subsystem.RegisterProtocol(&_TimeLtString{}) + vql_subsystem.RegisterProtocol(&_TimeGtString{}) vql_subsystem.RegisterProtocol(&_TimeEq{}) vql_subsystem.RegisterProtocol(&_TimeEqInt{}) } diff --git a/vql/functions/url.go b/vql/functions/url.go index 7042e043b01..1736a70eb20 100644 --- a/vql/functions/url.go +++ b/vql/functions/url.go @@ -40,7 +40,7 @@ type UrlArgs struct { type UrlFunction struct{} func (self *UrlFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &UrlArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -81,7 +81,7 @@ func normalize_path(path string) string { return "/" + path } -func (self UrlFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self UrlFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "url", Doc: "Construct a URL or parse one.", diff --git a/vql/functions/uuid.go b/vql/functions/uuid.go index d68d2267dfd..489c11cac03 100644 --- a/vql/functions/uuid.go +++ b/vql/functions/uuid.go @@ -11,14 +11,14 @@ import ( type _UUIDFunc struct{} -func (self _UUIDFunc) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _UUIDFunc) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "uuid", Doc: "Generate a UUID.", } } -func (self _UUIDFunc) Call(ctx context.Context, scope *vfilter.Scope, +func (self _UUIDFunc) Call(ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { return uuid.New() diff --git a/vql/golang/profile.go b/vql/golang/profile.go index bfa6e4474ed..33b226b66bb 100644 --- a/vql/golang/profile.go +++ b/vql/golang/profile.go @@ -27,7 +27,7 @@ type ProfilePluginArgs struct { Duration int64 `vfilter:"optional,field=duration,doc=Duration of samples (default 30 sec)"` } -func remove(scope *vfilter.Scope, name string) { +func remove(scope vfilter.Scope, name string) { scope.Log("profile: removing tempfile %v", name) // On windows especially we can not remove files that @@ -42,7 +42,7 @@ func remove(scope *vfilter.Scope, name string) { } } -func writeProfile(scope *vfilter.Scope, +func writeProfile(scope vfilter.Scope, output_chan chan vfilter.Row, name string, debug int64) { tmpfile, err := ioutil.TempFile("", "tmp*.tmp") if err != nil { @@ -72,7 +72,7 @@ func writeProfile(scope *vfilter.Scope, func writeCPUProfile( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, output_chan chan vfilter.Row, duration int64) { tmpfile, err := tempfile.TempFile("", "tmp", ".tmp") if err != nil { @@ -102,7 +102,7 @@ func writeCPUProfile( func writeTraceProfile( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, output_chan chan vfilter.Row, duration int64) { tmpfile, err := tempfile.TempFile("", "tmp", ".tmp") if err != nil { @@ -133,7 +133,7 @@ func writeTraceProfile( type ProfilePlugin struct{} func (self *ProfilePlugin) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -191,7 +191,7 @@ func (self *ProfilePlugin) Call(ctx context.Context, } func (self ProfilePlugin) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "profile", Doc: "Returns a profile dump from the running process.", diff --git a/vql/info.go b/vql/info.go index bba762c2a14..d1ee35c99c3 100644 --- a/vql/info.go +++ b/vql/info.go @@ -52,7 +52,7 @@ func init() { vfilter.GenericListPlugin{ PluginName: "info", Function: func( - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row diff --git a/vql/json.go b/vql/json.go index 78921b6097f..cf175cee803 100644 --- a/vql/json.go +++ b/vql/json.go @@ -10,7 +10,7 @@ import ( "www.velocidex.com/golang/vfilter" ) -func EncOptsFromScope(scope *vfilter.Scope) *json.EncOpts { +func EncOptsFromScope(scope vfilter.Scope) *json.EncOpts { // Default timezone is UTC location := time.UTC @@ -57,13 +57,13 @@ func EncOptsFromScope(scope *vfilter.Scope) *json.EncOpts { } // Utilities for encoding json via the vfilter API. -func MarshalJson(scope *vfilter.Scope) vfilter.RowEncoder { +func MarshalJson(scope vfilter.Scope) vfilter.RowEncoder { return func(rows []vfilter.Row) ([]byte, error) { return json.MarshalWithOptions(rows, EncOptsFromScope(scope)) } } -func MarshalJsonIndent(scope *vfilter.Scope) vfilter.RowEncoder { +func MarshalJsonIndent(scope vfilter.Scope) vfilter.RowEncoder { return func(rows []vfilter.Row) ([]byte, error) { b, err := json.MarshalWithOptions(rows, EncOptsFromScope(scope)) if err != nil { @@ -78,7 +78,7 @@ func MarshalJsonIndent(scope *vfilter.Scope) vfilter.RowEncoder { } } -func MarshalJsonl(scope *vfilter.Scope) vfilter.RowEncoder { +func MarshalJsonl(scope vfilter.Scope) vfilter.RowEncoder { options := EncOptsFromScope(scope) return func(rows []vfilter.Row) ([]byte, error) { diff --git a/vql/linux/audit.go b/vql/linux/audit.go index f4f321b6a8b..7a6e184a6ab 100644 --- a/vql/linux/audit.go +++ b/vql/linux/audit.go @@ -17,7 +17,7 @@ import ( ) type streamHandler struct { - scope *vfilter.Scope + scope vfilter.Scope output_chan chan vfilter.Row } @@ -39,7 +39,7 @@ func (self *streamHandler) outputMultipleMessages(msgs []*auparse.AuditMessage) type AuditPlugin struct{} -func (self AuditPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self AuditPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "audit", Doc: "Register as an audit daemon in the kernel.", @@ -47,7 +47,7 @@ func (self AuditPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *v } func (self AuditPlugin) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) diff --git a/vql/linux/connections.go b/vql/linux/connections.go index a297c7fc917..71d97d05312 100755 --- a/vql/linux/connections.go +++ b/vql/linux/connections.go @@ -30,7 +30,7 @@ func init() { &vfilter.GenericListPlugin{ PluginName: "connections", Function: func( - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row diff --git a/vql/networking/http_client.go b/vql/networking/http_client.go index 2c59201ba0f..7f73de566ef 100644 --- a/vql/networking/http_client.go +++ b/vql/networking/http_client.go @@ -41,6 +41,7 @@ import ( "www.velocidex.com/golang/velociraptor/utils" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" vfilter "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/types" ) var ( @@ -206,7 +207,7 @@ func getHttpClient( return http_client } -func encodeParams(arg *_HttpPluginRequest, scope *vfilter.Scope) *url.Values { +func encodeParams(arg *_HttpPluginRequest, scope vfilter.Scope) *url.Values { data := url.Values{} if arg.Params != nil { for _, member := range scope.GetMembers(arg.Params) { @@ -237,7 +238,7 @@ func encodeParams(arg *_HttpPluginRequest, scope *vfilter.Scope) *url.Values { func (self *_HttpPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) arg := &_HttpPluginRequest{} @@ -289,7 +290,7 @@ func (self *_HttpPlugin) Call( for _, member := range scope.GetMembers(arg.Headers) { value, pres := scope.Associative(arg.Headers, member) if pres { - lazy_v, ok := value.(vfilter.LazyExpr) + lazy_v, ok := value.(types.LazyExpr) if ok { value = lazy_v.Reduce() } @@ -399,7 +400,7 @@ func (self _HttpPlugin) Name() string { return "http_client" } -func (self _HttpPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _HttpPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: self.Name(), Doc: "Make a http request.", @@ -408,7 +409,7 @@ func (self _HttpPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *v } // Make sure the file is removed when the query is done. -func remove_tmpfile(tmpfile string, scope *vfilter.Scope) { +func remove_tmpfile(tmpfile string, scope vfilter.Scope) { scope.Log("tempfile: removing tempfile %v", tmpfile) // On windows especially we can not remove files that diff --git a/vql/networking/network.go b/vql/networking/network.go index d2bae29f830..465c23224ed 100644 --- a/vql/networking/network.go +++ b/vql/networking/network.go @@ -31,7 +31,7 @@ func init() { &vfilter.GenericListPlugin{ PluginName: "interfaces", Function: func( - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row diff --git a/vql/networking/upload.go b/vql/networking/upload.go index ee012aef6c6..3de5b963b4c 100644 --- a/vql/networking/upload.go +++ b/vql/networking/upload.go @@ -39,7 +39,7 @@ type UploadFunctionArgs struct { type UploadFunction struct{} func (self *UploadFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { uploader, ok := artifacts.GetUploader(scope) @@ -105,7 +105,7 @@ func (self *UploadFunction) Call(ctx context.Context, return vfilter.Null{} } -func (self UploadFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self UploadFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "upload", Doc: "Upload a file to the upload service. For a Velociraptor " + @@ -124,7 +124,7 @@ type UploadPlugin struct{} func (self *UploadPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -194,7 +194,7 @@ func (self *UploadPlugin) Call( return output_chan } -func (self UploadPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self UploadPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "upload", Doc: "Upload files to the server.", diff --git a/vql/parsers/appcache.go b/vql/parsers/appcache.go index 588dda5e80b..d93d0c6eb3a 100644 --- a/vql/parsers/appcache.go +++ b/vql/parsers/appcache.go @@ -17,7 +17,7 @@ type AppCompatCache struct{} func (self AppCompatCache) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -43,7 +43,7 @@ func (self AppCompatCache) Call( return output_chan } -func (self AppCompatCache) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self AppCompatCache) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "appcompatcache", Doc: "Parses the appcompatcache.", diff --git a/vql/parsers/binary.go b/vql/parsers/binary.go index af19a9e7253..74e604f276f 100644 --- a/vql/parsers/binary.go +++ b/vql/parsers/binary.go @@ -21,7 +21,7 @@ type ParseBinaryFunctionArg struct { } type ParseBinaryFunction struct{} -func (self ParseBinaryFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self ParseBinaryFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "parse_binary", Doc: "Parse a binary file into a datastructure using a profile.", @@ -30,7 +30,7 @@ func (self ParseBinaryFunction) Info(scope *vfilter.Scope, type_map *vfilter.Typ } func (self ParseBinaryFunction) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &ParseBinaryFunctionArg{} err := vfilter.ExtractArgs(scope, args, arg) diff --git a/vql/parsers/csv/csv.go b/vql/parsers/csv/csv.go index f8d25127b62..8ac8b542567 100644 --- a/vql/parsers/csv/csv.go +++ b/vql/parsers/csv/csv.go @@ -40,7 +40,7 @@ type ParseCSVPlugin struct{} func (self ParseCSVPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -112,7 +112,7 @@ func (self ParseCSVPlugin) Call( return output_chan } -func (self ParseCSVPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ParseCSVPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_csv", Doc: "Parses events from a CSV file.", @@ -124,7 +124,7 @@ type _WatchCSVPlugin struct{} func (self _WatchCSVPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -168,7 +168,7 @@ func (self _WatchCSVPlugin) Call( return output_chan } -func (self _WatchCSVPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _WatchCSVPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "watch_csv", Doc: "Watch a CSV file and stream events from it. " + @@ -187,7 +187,7 @@ type WriteCSVPlugin struct{} func (self WriteCSVPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -273,7 +273,7 @@ func (self WriteCSVPlugin) Call( return output_chan } -func (self WriteCSVPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self WriteCSVPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "write_csv", Doc: "Write a query into a CSV file.", diff --git a/vql/parsers/csv/watcher.go b/vql/parsers/csv/watcher.go index 3362f11f455..f31dc9f3ea4 100644 --- a/vql/parsers/csv/watcher.go +++ b/vql/parsers/csv/watcher.go @@ -38,7 +38,7 @@ func (self *CSVWatcherService) Register( filename string, accessor string, ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, output_chan chan vfilter.Row) { self.mu.Lock() @@ -203,5 +203,5 @@ func (self *CSVWatcherService) monitorOnce( type Handle struct { ctx context.Context output_chan chan vfilter.Row - scope *vfilter.Scope + scope vfilter.Scope } diff --git a/vql/parsers/ese/ese.go b/vql/parsers/ese/ese.go index 89d8363c75c..2ad8215c253 100644 --- a/vql/parsers/ese/ese.go +++ b/vql/parsers/ese/ese.go @@ -46,7 +46,7 @@ type _SRUMLookupIdArgs struct { type _SRUMLookupId struct{} -func (self _SRUMLookupId) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _SRUMLookupId) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "srum_lookup_id", Doc: "Lookup a SRUM id.", @@ -55,7 +55,7 @@ func (self _SRUMLookupId) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) } func (self _SRUMLookupId) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { defer utils.RecoverVQL(scope) @@ -182,7 +182,7 @@ type _ESEPlugin struct{} func (self _ESEPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) go func() { @@ -259,7 +259,7 @@ func (self _ESEPlugin) Call( return output_chan } -func (self _ESEPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _ESEPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_ese", Doc: "Opens an ESE file and dump a table.", diff --git a/vql/parsers/event_logs/evtx.go b/vql/parsers/event_logs/evtx.go index 067a22e030a..e7ffd04de57 100644 --- a/vql/parsers/event_logs/evtx.go +++ b/vql/parsers/event_logs/evtx.go @@ -38,7 +38,7 @@ type _ParseEvtxPlugin struct{} func (self _ParseEvtxPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -132,7 +132,7 @@ func (self _ParseEvtxPlugin) Call( return output_chan } -func (self _ParseEvtxPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _ParseEvtxPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_evtx", Doc: "Parses events from an EVTX file.", @@ -144,7 +144,7 @@ type _WatchEvtxPlugin struct{} func (self _WatchEvtxPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -197,7 +197,7 @@ func (self _WatchEvtxPlugin) Call( return output_chan } -func (self _WatchEvtxPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _WatchEvtxPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "watch_evtx", Doc: "Watch an EVTX file and stream events from it. ", diff --git a/vql/parsers/event_logs/watcher.go b/vql/parsers/event_logs/watcher.go index 44ec01ea6af..13bb81cf404 100644 --- a/vql/parsers/event_logs/watcher.go +++ b/vql/parsers/event_logs/watcher.go @@ -39,7 +39,7 @@ func (self *EventLogWatcherService) Register( filename string, accessor string, ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, output_chan chan vfilter.Row) func() { self.mu.Lock() @@ -230,5 +230,5 @@ func (self *EventLogWatcherService) monitorOnce( type Handle struct { ctx context.Context output_chan chan vfilter.Row - scope *vfilter.Scope + scope vfilter.Scope } diff --git a/vql/parsers/grok.go b/vql/parsers/grok.go index d870a77ccdd..14bf90f6cf5 100644 --- a/vql/parsers/grok.go +++ b/vql/parsers/grok.go @@ -18,7 +18,7 @@ type GrokParseFunctionArgs struct { type GrokParseFunction struct{} -func (self GrokParseFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self GrokParseFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "grok", Doc: "Parse a string using a Grok expression.", @@ -27,7 +27,7 @@ func (self GrokParseFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeM } func (self GrokParseFunction) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &GrokParseFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) diff --git a/vql/parsers/json.go b/vql/parsers/json.go index 98b5ace5ca2..1192b7c179c 100644 --- a/vql/parsers/json.go +++ b/vql/parsers/json.go @@ -33,6 +33,7 @@ import ( utils "www.velocidex.com/golang/velociraptor/utils" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/protocols" ) type ParseJsonFunctionArg struct { @@ -40,7 +41,7 @@ type ParseJsonFunctionArg struct { } type ParseJsonFunction struct{} -func (self ParseJsonFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self ParseJsonFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "parse_json", Doc: "Parse a JSON string into an object.", @@ -49,7 +50,7 @@ func (self ParseJsonFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeM } func (self ParseJsonFunction) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &ParseJsonFunctionArg{} err := vfilter.ExtractArgs(scope, args, arg) @@ -69,7 +70,7 @@ func (self ParseJsonFunction) Call( type ParseJsonArray struct{} -func (self ParseJsonArray) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self ParseJsonArray) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "parse_json_array", Doc: "Parse a JSON string into an array.", @@ -78,7 +79,7 @@ func (self ParseJsonArray) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) } func (self ParseJsonArray) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &ParseJsonFunctionArg{} err := vfilter.ExtractArgs(scope, args, arg) @@ -126,7 +127,7 @@ type ParseJsonlPlugin struct{} func (self ParseJsonlPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -190,7 +191,7 @@ func (self ParseJsonlPlugin) Call( return output_chan } -func (self ParseJsonlPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ParseJsonlPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_jsonl", Doc: "Parses a line oriented json file.", @@ -202,7 +203,7 @@ type ParseJsonArrayPlugin struct{} func (self ParseJsonArrayPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -228,7 +229,7 @@ func (self ParseJsonArrayPlugin) Call( return output_chan } -func (self ParseJsonArrayPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ParseJsonArrayPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_json_array", Doc: "Parses events from a line oriented json file.", @@ -242,7 +243,11 @@ type _MapInterfaceAssociativeProtocol struct{} func (self _MapInterfaceAssociativeProtocol) Applicable( a vfilter.Any, b vfilter.Any) bool { - if reflect.TypeOf(a).Kind() != reflect.Map { + a_type := reflect.TypeOf(a) + if a_type == nil { + return false + } + if a_type.Kind() != reflect.Map { return false } @@ -251,7 +256,7 @@ func (self _MapInterfaceAssociativeProtocol) Applicable( } func (self _MapInterfaceAssociativeProtocol) Associative( - scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) ( + scope vfilter.Scope, a vfilter.Any, b vfilter.Any) ( vfilter.Any, bool) { key, key_ok := b.(string) @@ -274,7 +279,7 @@ func (self _MapInterfaceAssociativeProtocol) Associative( } func (self _MapInterfaceAssociativeProtocol) GetMembers( - scope *vfilter.Scope, a vfilter.Any) []string { + scope vfilter.Scope, a vfilter.Any) []string { result := []string{} a_map, ok := a.(map[string]interface{}) if ok { @@ -317,7 +322,7 @@ func (self _ProtobufAssociativeProtocol) Applicable( // Accept either the json emitted field name or the go style field // name. func (self _ProtobufAssociativeProtocol) Associative( - scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) ( + scope vfilter.Scope, a vfilter.Any, b vfilter.Any) ( vfilter.Any, bool) { field, b_ok := b.(string) @@ -339,7 +344,7 @@ func (self _ProtobufAssociativeProtocol) Associative( for _, item := range properties.Prop { if field == item.OrigName || field == item.Name { - result, pres := vfilter.DefaultAssociative{}.Associative( + result, pres := protocols.DefaultAssociative{}.Associative( scope, a, item.Name) // If the result is an any, we decode that @@ -365,7 +370,7 @@ func (self _ProtobufAssociativeProtocol) Associative( // consistent with the same protobuf emitted as json using other // means. func (self _ProtobufAssociativeProtocol) GetMembers( - scope *vfilter.Scope, a vfilter.Any) []string { + scope vfilter.Scope, a vfilter.Any) []string { result := []string{} a_value := reflect.Indirect(reflect.ValueOf(a)) @@ -396,14 +401,14 @@ func (self _nilAssociativeProtocol) Applicable( } func (self _nilAssociativeProtocol) Associative( - scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) ( + scope vfilter.Scope, a vfilter.Any, b vfilter.Any) ( vfilter.Any, bool) { return vfilter.Null{}, false } func (self _nilAssociativeProtocol) GetMembers( - scope *vfilter.Scope, a vfilter.Any) []string { + scope vfilter.Scope, a vfilter.Any) []string { return []string{} } @@ -431,7 +436,7 @@ func (self _IndexAssociativeProtocol) Applicable( } func (self _IndexAssociativeProtocol) Associative( - scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) ( + scope vfilter.Scope, a vfilter.Any, b vfilter.Any) ( vfilter.Any, bool) { if b == nil { @@ -479,7 +484,7 @@ func (self _IndexAssociativeProtocol) Associative( } func (self _IndexAssociativeProtocol) GetMembers( - scope *vfilter.Scope, a vfilter.Any) []string { + scope vfilter.Scope, a vfilter.Any) []string { return []string{} } diff --git a/vql/parsers/ntfs.go b/vql/parsers/ntfs.go index 5bd90c85658..a7d286a59fa 100644 --- a/vql/parsers/ntfs.go +++ b/vql/parsers/ntfs.go @@ -30,7 +30,7 @@ import ( vfilter "www.velocidex.com/golang/vfilter" ) -func GetNTFSContext(scope *vfilter.Scope, device string) (*ntfs.NTFSContext, error) { +func GetNTFSContext(scope vfilter.Scope, device string) (*ntfs.NTFSContext, error) { ntfs_ctx, ok := vql_subsystem.CacheGet(scope, device).(*ntfs.NTFSContext) if !ok { fd, err := os.OpenFile(device, os.O_RDONLY, os.FileMode(0666)) @@ -70,7 +70,7 @@ type NTFSModel struct { type NTFSFunction struct{} -func (self NTFSFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self NTFSFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "parse_ntfs", Doc: "Parse an NTFS image file.", @@ -79,7 +79,7 @@ func (self NTFSFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) * } func (self NTFSFunction) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { defer utils.RecoverVQL(scope) @@ -145,7 +145,7 @@ type MFTScanPlugin struct{} func (self MFTScanPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -208,7 +208,7 @@ func (self MFTScanPlugin) Call( return output_chan } -func (self MFTScanPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self MFTScanPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_mft", Doc: "Scan the $MFT from an NTFS volume.", @@ -220,7 +220,7 @@ type NTFSI30ScanPlugin struct{} func (self NTFSI30ScanPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -279,7 +279,7 @@ func (self NTFSI30ScanPlugin) Call( return output_chan } -func (self NTFSI30ScanPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self NTFSI30ScanPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_ntfs_i30", Doc: "Scan the $I30 stream from an NTFS MFT entry.", @@ -291,7 +291,7 @@ type NTFSRangesPlugin struct{} func (self NTFSRangesPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -362,7 +362,7 @@ func (self NTFSRangesPlugin) Call( return output_chan } -func (self NTFSRangesPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self NTFSRangesPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_ntfs_ranges", Doc: "Show the run ranges for an NTFS stream.", diff --git a/vql/parsers/ole.go b/vql/parsers/ole.go index cd927b8e505..c912a539c14 100644 --- a/vql/parsers/ole.go +++ b/vql/parsers/ole.go @@ -44,7 +44,7 @@ type _OLEVBAPlugin struct{} func _OLEVBAPlugin_ParseFile( ctx context.Context, filename string, - scope *vfilter.Scope, + scope vfilter.Scope, arg *_OLEVBAArgs) ([]*oleparse.VBAModule, error) { defer utils.RecoverVQL(scope) @@ -133,7 +133,7 @@ func _OLEVBAPlugin_ParseFile( func (self _OLEVBAPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -169,7 +169,7 @@ func (self _OLEVBAPlugin) Call( return output_chan } -func (self _OLEVBAPlugin) Info(scope *vfilter.Scope, +func (self _OLEVBAPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "olevba", diff --git a/vql/parsers/pe.go b/vql/parsers/pe.go index 7bf83f18643..6d264fbd3ce 100644 --- a/vql/parsers/pe.go +++ b/vql/parsers/pe.go @@ -34,7 +34,7 @@ type _PEFunctionArgs struct { type _PEFunction struct{} -func (self _PEFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _PEFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "parse_pe", Doc: "Parse a PE file.", @@ -43,7 +43,7 @@ func (self _PEFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *v } func (self _PEFunction) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_PEFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) diff --git a/vql/parsers/plist.go b/vql/parsers/plist.go index eb530c9f3a7..1260677e753 100644 --- a/vql/parsers/plist.go +++ b/vql/parsers/plist.go @@ -34,7 +34,7 @@ type _PlistFunctionArgs struct { type PlistFunction struct{} -func (self PlistFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self PlistFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "plist", Doc: "Parse plist file", @@ -43,7 +43,7 @@ func (self PlistFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) } func (self *PlistFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) (result vfilter.Any) { arg := &_PlistFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -106,7 +106,7 @@ type _PlistPluginArgs struct { type _PlistPlugin struct{} -func (self _PlistPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _PlistPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "plist", Doc: "Parses a plist file.", @@ -116,7 +116,7 @@ func (self _PlistPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) * func (self _PlistPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) diff --git a/vql/parsers/prefetch.go b/vql/parsers/prefetch.go index affc9842f88..8b9144e009b 100644 --- a/vql/parsers/prefetch.go +++ b/vql/parsers/prefetch.go @@ -39,7 +39,7 @@ type _PrefetchPlugin struct{} func (self _PrefetchPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -103,7 +103,7 @@ func (self _PrefetchPlugin) Call( return output_chan } -func (self _PrefetchPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _PrefetchPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "prefetch", Doc: "Parses a prefetch file.", diff --git a/vql/parsers/recyclebin.go b/vql/parsers/recyclebin.go index a5366bee5c8..2c2ce998d0c 100644 --- a/vql/parsers/recyclebin.go +++ b/vql/parsers/recyclebin.go @@ -3,12 +3,13 @@ package parsers import ( "context" "io" + "github.com/Velocidex/ordereddict" "www.velocidex.com/golang/velociraptor/glob" utils "www.velocidex.com/golang/velociraptor/utils" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" - vfilter "www.velocidex.com/golang/vfilter" recyclebin "www.velocidex.com/golang/velociraptor/vql/parsers/recyclebin" + vfilter "www.velocidex.com/golang/vfilter" ) /* @@ -33,8 +34,7 @@ type _RecycleBinPluginArgs struct { type _RecycleBinPlugin struct{} - -func (self _RecycleBinPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _RecycleBinPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_recyclebin", Doc: "Parses a $I file found in the $Recycle.Bin", @@ -44,7 +44,7 @@ func (self _RecycleBinPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeM func (self _RecycleBinPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -67,7 +67,7 @@ func (self _RecycleBinPlugin) Call( for _, filename := range arg.Filenames { func() { defer utils.RecoverVQL(scope) - + accessor, err := glob.GetAccessor(arg.Accessor, scope) if err != nil { scope.Log("parse_recyclebin: %v", err) @@ -108,7 +108,6 @@ func (self _RecycleBinPlugin) Call( return output_chan } - func init() { vql_subsystem.RegisterPlugin(&_RecycleBinPlugin{}) } diff --git a/vql/parsers/regexparser.go b/vql/parsers/regexparser.go index 6976b5ba5ff..098dc73a499 100644 --- a/vql/parsers/regexparser.go +++ b/vql/parsers/regexparser.go @@ -54,7 +54,7 @@ type _ParseFileWithRegex struct{} func _ParseFile( ctx context.Context, filename string, - scope *vfilter.Scope, + scope vfilter.Scope, arg *_ParseFileWithRegexArgs, output_chan chan vfilter.Row) { @@ -128,7 +128,7 @@ func _ParseFile( func (self _ParseFileWithRegex) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) arg := &_ParseFileWithRegexArgs{} @@ -169,7 +169,7 @@ func (self _ParseFileWithRegex) Call( return output_chan } -func (self _ParseFileWithRegex) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _ParseFileWithRegex) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_records_with_regex", Doc: "Parses a file with a set of regexp and yields matches as records.", @@ -185,7 +185,7 @@ type _ParseStringWithRegexFunctionArgs struct { type _ParseStringWithRegexFunction struct{} func (self *_ParseStringWithRegexFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) (result vfilter.Any) { arg := &_ParseStringWithRegexFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -236,7 +236,7 @@ func (self *_ParseStringWithRegexFunction) Call(ctx context.Context, return row } -func (self _ParseStringWithRegexFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _ParseStringWithRegexFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "parse_string_with_regex", Doc: "Parse a string with a set of regex and extract fields. Returns " + @@ -255,7 +255,7 @@ type _RegexReplace struct{} func (self _RegexReplace) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_RegexReplaceArg{} err := vfilter.ExtractArgs(scope, args, arg) @@ -272,7 +272,7 @@ func (self _RegexReplace) Call( return re.ReplaceAllString(arg.Source, arg.Replace) } -func (self _RegexReplace) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _RegexReplace) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "regex_replace", Doc: "Search and replace a string with a regexp. " + diff --git a/vql/parsers/splitparser.go b/vql/parsers/splitparser.go index a4efb90d41f..147ed6a87e8 100644 --- a/vql/parsers/splitparser.go +++ b/vql/parsers/splitparser.go @@ -51,7 +51,7 @@ type _SplitRecordParser struct{} func processFile( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, file string, arg *_SplitRecordParserArgs, output_chan chan vfilter.Row) { @@ -132,7 +132,7 @@ func processFile( func (self _SplitRecordParser) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) var compiled_regex *regexp.Regexp @@ -180,7 +180,7 @@ func (self _SplitRecordParser) Name() string { return "split_records" } -func (self _SplitRecordParser) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _SplitRecordParser) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "split_records", Doc: "Parses files by splitting lines into records.", diff --git a/vql/parsers/sqlite.go b/vql/parsers/sqlite.go index b0ce4a87ec1..1db1c9b27ac 100644 --- a/vql/parsers/sqlite.go +++ b/vql/parsers/sqlite.go @@ -51,7 +51,7 @@ type _SQLitePlugin struct{} func (self _SQLitePlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) go func() { @@ -147,7 +147,7 @@ func VFSPathToFilesystemPath(path string) string { func (self _SQLitePlugin) GetHandle( ctx context.Context, - arg *_SQLiteArgs, scope *vfilter.Scope) ( + arg *_SQLiteArgs, scope vfilter.Scope) ( handle *sqlx.DB, err error) { filename := VFSPathToFilesystemPath(arg.Filename) @@ -206,7 +206,7 @@ func (self _SQLitePlugin) GetHandle( func (self _SQLitePlugin) _MakeTempfile( ctx context.Context, arg *_SQLiteArgs, filename string, - scope *vfilter.Scope) ( + scope vfilter.Scope) ( string, error) { if arg.Accessor != "data" { @@ -247,7 +247,7 @@ func (self _SQLitePlugin) _MakeTempfile( return tmpfile.Name(), nil } -func (self _SQLitePlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _SQLitePlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "sqlite", Doc: "Opens an SQLite file and run a query against it.", diff --git a/vql/parsers/syslog/auditd.go b/vql/parsers/syslog/auditd.go index a1df37b10c3..cd03659b624 100644 --- a/vql/parsers/syslog/auditd.go +++ b/vql/parsers/syslog/auditd.go @@ -19,7 +19,7 @@ import ( type AuditdPlugin struct{} -func (self AuditdPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self AuditdPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_auditd", Doc: "Parse log files generated by auditd.", @@ -28,7 +28,7 @@ func (self AuditdPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) * } func (self AuditdPlugin) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -78,7 +78,7 @@ func (self AuditdPlugin) Call( } type streamHandler struct { - scope *vfilter.Scope + scope vfilter.Scope ctx context.Context output_chan chan vfilter.Row } @@ -107,7 +107,7 @@ func (self *streamHandler) outputMultipleMessages( type WatchAuditdPlugin struct{} -func (self WatchAuditdPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self WatchAuditdPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "watch_auditd", Doc: "Watch log files generated by auditd.", @@ -116,7 +116,7 @@ func (self WatchAuditdPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeM } func (self WatchAuditdPlugin) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) diff --git a/vql/parsers/syslog/scanner.go b/vql/parsers/syslog/scanner.go index 209f5e6dd1b..b4193d93d6f 100644 --- a/vql/parsers/syslog/scanner.go +++ b/vql/parsers/syslog/scanner.go @@ -19,7 +19,7 @@ type ScannerPluginArgs struct { type ScannerPlugin struct{} -func (self ScannerPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ScannerPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_lines", Doc: "Parse a file separated into lines.", @@ -28,7 +28,7 @@ func (self ScannerPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) } func (self ScannerPlugin) Call( - ctx context.Context, scope *vfilter.Scope, + ctx context.Context, scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -84,7 +84,7 @@ type _WatchSyslogPlugin struct{} func (self _WatchSyslogPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -136,7 +136,7 @@ func (self _WatchSyslogPlugin) Call( return output_chan } -func (self _WatchSyslogPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self _WatchSyslogPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "watch_syslog", Doc: "Watch a syslog file and stream events from it. ", @@ -144,7 +144,7 @@ func (self _WatchSyslogPlugin) Info(scope *vfilter.Scope, type_map *vfilter.Type } } -func maybeOpenGzip(scope *vfilter.Scope, +func maybeOpenGzip(scope vfilter.Scope, accessor_name, filename string) (io.ReadCloser, error) { accessor, err := glob.GetAccessor(accessor_name, scope) if err != nil { diff --git a/vql/parsers/syslog/watcher.go b/vql/parsers/syslog/watcher.go index 4dba9fe1a56..a8474fa0882 100644 --- a/vql/parsers/syslog/watcher.go +++ b/vql/parsers/syslog/watcher.go @@ -41,7 +41,7 @@ func (self *SyslogWatcherService) Register( filename string, accessor string, ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, output_chan chan vfilter.Row) func() { self.mu.Lock() @@ -268,5 +268,5 @@ type Cursor struct { type Handle struct { ctx context.Context output_chan chan vfilter.Row - scope *vfilter.Scope + scope vfilter.Scope } diff --git a/vql/parsers/usn/usn.go b/vql/parsers/usn/usn.go index ebd8a711a78..63d528541c0 100644 --- a/vql/parsers/usn/usn.go +++ b/vql/parsers/usn/usn.go @@ -21,7 +21,7 @@ type USNPlugin struct{} func (self USNPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -56,7 +56,7 @@ func (self USNPlugin) Call( return output_chan } -func (self USNPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self USNPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parse_usn", Doc: "Parse the USN journal from a device.", @@ -72,7 +72,7 @@ type WatchUSNPlugin struct{} func (self WatchUSNPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -118,7 +118,7 @@ func (self WatchUSNPlugin) Call( return output_chan } -func (self WatchUSNPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self WatchUSNPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "watch_usn", Doc: "Watch the USN journal from a device.", diff --git a/vql/parsers/usn/watcher.go b/vql/parsers/usn/watcher.go index ed386e04f2d..f9458a50a80 100644 --- a/vql/parsers/usn/watcher.go +++ b/vql/parsers/usn/watcher.go @@ -44,7 +44,7 @@ func (self *USNWatcherService) Register( device string, ctx context.Context, config_obj *config_proto.Config, - scope *vfilter.Scope, + scope vfilter.Scope, output_chan chan vfilter.Row) func() { self.mu.Lock() @@ -175,6 +175,6 @@ func (self *USNWatcherService) StartMonitoring( type Handle struct { ctx context.Context output_chan chan vfilter.Row - scope *vfilter.Scope + scope vfilter.Scope id int } diff --git a/vql/parsers/xml.go b/vql/parsers/xml.go index d64cb5d1cce..6b23b539a3d 100644 --- a/vql/parsers/xml.go +++ b/vql/parsers/xml.go @@ -35,7 +35,7 @@ type _ParseXMLFunction struct{} func (self _ParseXMLFunction) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_ParseXMLFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -72,7 +72,7 @@ func (self _ParseXMLFunction) Call( return result.Old() } -func (self _ParseXMLFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _ParseXMLFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "parse_xml", Doc: "Parse an XML document into a map.", diff --git a/vql/process.go b/vql/process.go index 6ea16a5877e..efce92ad3f9 100755 --- a/vql/process.go +++ b/vql/process.go @@ -28,6 +28,7 @@ import ( "www.velocidex.com/golang/velociraptor/acls" "www.velocidex.com/golang/velociraptor/utils" "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/protocols" ) // Block potentially dangerous methods. @@ -45,20 +46,20 @@ func (self _ProcessFieldImpl) Applicable(a vfilter.Any, b vfilter.Any) bool { } func (self _ProcessFieldImpl) Associative( - scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) (vfilter.Any, bool) { + scope vfilter.Scope, a vfilter.Any, b vfilter.Any) (vfilter.Any, bool) { field := b.(string) if utils.InString(_BlockedMembers, field) { return false, true } - res, pres := vfilter.DefaultAssociative{}.Associative(scope, a, b) + res, pres := protocols.DefaultAssociative{}.Associative(scope, a, b) return res, pres } -func (self _ProcessFieldImpl) GetMembers(scope *vfilter.Scope, a vfilter.Any) []string { +func (self _ProcessFieldImpl) GetMembers(scope vfilter.Scope, a vfilter.Any) []string { var result []string - for _, item := range (vfilter.DefaultAssociative{}).GetMembers(scope, a) { + for _, item := range (protocols.DefaultAssociative{}).GetMembers(scope, a) { if !utils.InString(_BlockedMembers, item) { result = append(result, item) } @@ -76,7 +77,7 @@ func init() { RegisterPlugin(vfilter.GenericListPlugin{ PluginName: "pslist", Function: func( - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row diff --git a/vql/protocols.go b/vql/protocols.go index 098a03304b6..b8746898198 100644 --- a/vql/protocols.go +++ b/vql/protocols.go @@ -7,6 +7,7 @@ import ( "github.com/Velocidex/ordereddict" "www.velocidex.com/golang/velociraptor/glob" "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/protocols" ) type _BoolDict struct{} @@ -24,7 +25,7 @@ func (self _BoolDict) Applicable(a vfilter.Any) bool { return rt.Kind() == reflect.Slice || rt.Kind() == reflect.Map } -func (self _BoolDict) Bool(scope *vfilter.Scope, a vfilter.Any) bool { +func (self _BoolDict) Bool(scope vfilter.Scope, a vfilter.Any) bool { switch t := a.(type) { case ordereddict.Dict: return t.Len() > 0 @@ -54,7 +55,7 @@ func (self _BoolTime) Applicable(a vfilter.Any) bool { return false } -func (self _BoolTime) Bool(scope *vfilter.Scope, a vfilter.Any) bool { +func (self _BoolTime) Bool(scope vfilter.Scope, a vfilter.Any) bool { switch t := a.(type) { case time.Time: return t.Unix() > 0 @@ -67,7 +68,7 @@ func (self _BoolTime) Bool(scope *vfilter.Scope, a vfilter.Any) bool { type _BoolEq struct{} -func (self _BoolEq) Eq(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { +func (self _BoolEq) Eq(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { b_value := false switch t := b.(type) { case string: @@ -114,16 +115,16 @@ func (self _GlobFileInfoAssociative) Applicable( } func (self _GlobFileInfoAssociative) Associative( - scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) ( + scope vfilter.Scope, a vfilter.Any, b vfilter.Any) ( vfilter.Any, bool) { - return vfilter.DefaultAssociative{}.Associative(scope, a, b) + return protocols.DefaultAssociative{}.Associative(scope, a, b) } // Only expose some fields that are explicitly provided by the // glob.FileInfo interface. This cleans up * expansion in SELECT * // FROM ... func (self _GlobFileInfoAssociative) GetMembers( - scope *vfilter.Scope, a vfilter.Any) []string { + scope vfilter.Scope, a vfilter.Any) []string { return []string{"Name", "ModTime", "FullPath", "Mtime", "Ctime", "Atime", "Data", "Size", "IsDir", "IsLink", "Mode", "Sys"} diff --git a/vql/protocols/lazy.go b/vql/protocols/lazy.go index 99907280c93..56b521f5e27 100644 --- a/vql/protocols/lazy.go +++ b/vql/protocols/lazy.go @@ -36,7 +36,7 @@ func (self _CallableBool) Applicable(a vfilter.Any) bool { return ok } -func (self _CallableBool) Bool(scope *vfilter.Scope, a vfilter.Any) bool { +func (self _CallableBool) Bool(scope vfilter.Scope, a vfilter.Any) bool { v, _ := callable(a) return scope.Bool(v()) } @@ -49,7 +49,7 @@ func (self _CallableEq) Applicable(a vfilter.Any, b vfilter.Any) bool { return a_ok || b_ok } -func (self _CallableEq) Eq(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { +func (self _CallableEq) Eq(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { a_value, a_ok := callable(a) if a_ok { return scope.Eq(a_value(), b) @@ -69,7 +69,7 @@ func (self _CallableLt) Applicable(a vfilter.Any, b vfilter.Any) bool { return a_ok || b_ok } -func (self _CallableLt) Lt(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { +func (self _CallableLt) Lt(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { a_value, a_ok := callable(a) if a_ok { return scope.Lt(a_value(), b) @@ -89,7 +89,7 @@ func (self _CallableAdd) Applicable(a vfilter.Any, b vfilter.Any) bool { return a_ok || b_ok } -func (self _CallableAdd) Add(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) vfilter.Any { +func (self _CallableAdd) Add(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) vfilter.Any { a_value, a_ok := callable(a) if a_ok { return scope.Add(a_value(), b) @@ -109,7 +109,7 @@ func (self _CallableSub) Applicable(a vfilter.Any, b vfilter.Any) bool { return a_ok || b_ok } -func (self _CallableSub) Sub(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) vfilter.Any { +func (self _CallableSub) Sub(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) vfilter.Any { a_value, a_ok := callable(a) if a_ok { return scope.Sub(a_value(), b) @@ -129,7 +129,7 @@ func (self _CallableMul) Applicable(a vfilter.Any, b vfilter.Any) bool { return a_ok || b_ok } -func (self _CallableMul) Mul(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) vfilter.Any { +func (self _CallableMul) Mul(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) vfilter.Any { a_value, a_ok := callable(a) if a_ok { return scope.Mul(a_value(), b) @@ -149,7 +149,7 @@ func (self _CallableDiv) Applicable(a vfilter.Any, b vfilter.Any) bool { return a_ok || b_ok } -func (self _CallableDiv) Div(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) vfilter.Any { +func (self _CallableDiv) Div(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) vfilter.Any { a_value, a_ok := callable(a) if a_ok { return scope.Div(a_value(), b) @@ -169,7 +169,7 @@ func (self _CallableMembership) Applicable(a vfilter.Any, b vfilter.Any) bool { return a_ok || b_ok } -func (self _CallableMembership) Membership(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { +func (self _CallableMembership) Membership(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { a_value, a_ok := callable(a) if a_ok { return scope.Membership(a_value(), b) @@ -189,7 +189,7 @@ func (self _CallableAssociative) Applicable(a vfilter.Any, b vfilter.Any) bool { return a_ok || b_ok } -func (self _CallableAssociative) GetMembers(scope *vfilter.Scope, a vfilter.Any) []string { +func (self _CallableAssociative) GetMembers(scope vfilter.Scope, a vfilter.Any) []string { a_value, a_ok := callable(a) if a_ok { return scope.GetMembers(a_value()) @@ -197,7 +197,7 @@ func (self _CallableAssociative) GetMembers(scope *vfilter.Scope, a vfilter.Any) return []string{} } -func (self _CallableAssociative) Associative(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) ( +func (self _CallableAssociative) Associative(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) ( vfilter.Any, bool) { a_value, a_ok := callable(a) if a_ok { @@ -217,7 +217,7 @@ func (self _CallableRegex) Applicable(a vfilter.Any, b vfilter.Any) bool { return b_ok } -func (self _CallableRegex) Match(scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { +func (self _CallableRegex) Match(scope vfilter.Scope, a vfilter.Any, b vfilter.Any) bool { b_value, b_ok := callable(b) if b_ok { return scope.Match(a, b_value()) @@ -233,7 +233,7 @@ func (self _CallableIterate) Applicable(a vfilter.Any) bool { } func (self _CallableIterate) Iterate(ctx context.Context, - scope *vfilter.Scope, a vfilter.Any) <-chan vfilter.Row { + scope vfilter.Scope, a vfilter.Any) <-chan vfilter.Row { a_value, a_ok := callable(a) if a_ok { diff --git a/vql/readers/paged.go b/vql/readers/paged.go index 84b0bf59731..60734798fa8 100644 --- a/vql/readers/paged.go +++ b/vql/readers/paged.go @@ -69,7 +69,7 @@ type AccessorReader struct { mu sync.Mutex Accessor, File string - Scope *vfilter.Scope + Scope vfilter.Scope key string @@ -131,7 +131,7 @@ func (self *AccessorReader) ReadAt(buf []byte, offset int64) (int, error) { return self.paged_reader.ReadAt(buf, offset) } -func NewPagedReader(scope *vfilter.Scope, accessor, filename string) *AccessorReader { +func NewPagedReader(scope vfilter.Scope, accessor, filename string) *AccessorReader { var pool *ReaderPool pool_any := vql_subsystem.CacheGet(scope, READERS_CACHE) diff --git a/vql/scope.go b/vql/scope.go index bc540034f5a..51b00833552 100644 --- a/vql/scope.go +++ b/vql/scope.go @@ -43,7 +43,7 @@ func (self *ScopeCache) Set(key string, value interface{}) { self.cache[key] = value } -func CacheGet(scope *vfilter.Scope, key string) interface{} { +func CacheGet(scope vfilter.Scope, key string) interface{} { any_obj, _ := scope.Resolve(CACHE_VAR) cache, ok := any_obj.(*ScopeCache) if ok { @@ -55,7 +55,7 @@ func CacheGet(scope *vfilter.Scope, key string) interface{} { return nil } -func CacheSet(scope *vfilter.Scope, key string, value interface{}) { +func CacheSet(scope vfilter.Scope, key string, value interface{}) { any_obj, _ := scope.Resolve(CACHE_VAR) cache, ok := any_obj.(*ScopeCache) if ok { @@ -69,7 +69,7 @@ func CacheSet(scope *vfilter.Scope, key string, value interface{}) { // The server config is sensitive and so it is *not* stored in the // scope vars and so can not be accessed by the VQL query // directly. VQL plugins can access it via this method. -func GetServerConfig(scope *vfilter.Scope) (*config_proto.Config, bool) { +func GetServerConfig(scope vfilter.Scope) (*config_proto.Config, bool) { config_any := CacheGet(scope, constants.SCOPE_SERVER_CONFIG) if utils.IsNil(config_any) { return nil, false diff --git a/vql/server/artifacts.go b/vql/server/artifacts.go index 47c59ab2b3b..0271759493e 100644 --- a/vql/server/artifacts.go +++ b/vql/server/artifacts.go @@ -44,7 +44,7 @@ type ScheduleCollectionFunctionArg struct { type ScheduleCollectionFunction struct{} func (self *ScheduleCollectionFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &ScheduleCollectionFunctionArg{} @@ -109,6 +109,11 @@ func (self *ScheduleCollectionFunction) Call(ctx context.Context, arg.Spec = spec } + if arg.Spec == nil { + scope.Log("Either spec or env must be provided.") + return vfilter.Null{} + } + err = tools.AddSpecProtobuf(config_obj, repository, scope, arg.Spec, request) if err != nil { @@ -145,7 +150,7 @@ func (self *ScheduleCollectionFunction) Call(ctx context.Context, return json.ConvertProtoToOrderedDict(result) } -func (self ScheduleCollectionFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self ScheduleCollectionFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "collect_client", Doc: "Launch an artifact collection against a client.", diff --git a/vql/server/clients/clients.go b/vql/server/clients/clients.go index 728770100ce..a1e4e5ed892 100644 --- a/vql/server/clients/clients.go +++ b/vql/server/clients/clients.go @@ -45,7 +45,7 @@ type ClientsPlugin struct{} func (self ClientsPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -121,7 +121,7 @@ func (self ClientsPlugin) Call( return output_chan } -func (self ClientsPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ClientsPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "clients", Doc: "Retrieve the list of clients.", @@ -136,7 +136,7 @@ type ClientInfoFunctionArgs struct { type ClientInfoFunction struct{} func (self *ClientInfoFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.READ_RESULTS) @@ -167,7 +167,7 @@ func (self *ClientInfoFunction) Call(ctx context.Context, } func (self ClientInfoFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "client_info", Doc: "Returns client info (like the fqdn) from the datastore.", diff --git a/vql/server/clients/metadata.go b/vql/server/clients/metadata.go index 531ad6268a3..46020e5e11a 100644 --- a/vql/server/clients/metadata.go +++ b/vql/server/clients/metadata.go @@ -22,7 +22,7 @@ type ClientMetadataFunctionArgs struct { type ClientMetadataFunction struct{} func (self *ClientMetadataFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &ClientMetadataFunctionArgs{} @@ -72,7 +72,7 @@ func (self *ClientMetadataFunction) Call(ctx context.Context, } func (self ClientMetadataFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "client_metadata", Doc: "Returns client metadata from the datastore. Client metadata is a set of free form key/value data", @@ -87,7 +87,7 @@ type ClientSetMetadataFunctionArgs struct { type ClientSetMetadataFunction struct{} func (self *ClientSetMetadataFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { // Collapse lazy args etc. @@ -152,7 +152,7 @@ func (self *ClientSetMetadataFunction) Call(ctx context.Context, } func (self ClientSetMetadataFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "client_set_metadata", Doc: "Sets client metadata. Client metadata is a set of free form key/value data", @@ -163,14 +163,14 @@ func (self ClientSetMetadataFunction) Info( type ServerMetadataFunction struct{} func (self *ServerMetadataFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { args.Set("client_id", "server") return (&ClientMetadataFunction{}).Call(ctx, scope, args) } func (self ServerMetadataFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "server_metadata", Doc: "Returns client metadata from the datastore. Client metadata is a set of free form key/value data", @@ -181,14 +181,14 @@ func (self ServerMetadataFunction) Info( type ServerSetMetadataFunction struct{} func (self *ServerSetMetadataFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { args.Set("client_id", "server") return (&ClientSetMetadataFunction{}).Call(ctx, scope, args) } func (self ServerSetMetadataFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "server_set_metadata", Doc: "Sets client metadata. Client metadata is a set of free form key/value data", diff --git a/vql/server/compress.go b/vql/server/compress.go index 9c5df633b00..4d89b09e095 100644 --- a/vql/server/compress.go +++ b/vql/server/compress.go @@ -38,7 +38,7 @@ type CompressArgs struct { type Compress struct{} func (self *Compress) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.FILESYSTEM_WRITE) @@ -105,7 +105,7 @@ func (self *Compress) Call(ctx context.Context, return result } -func (self Compress) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self Compress) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "compress", Doc: "Compress a file in the server's FileStore. ", diff --git a/vql/server/delete.go b/vql/server/delete.go index c15ce506dd1..9ea2d3a26ce 100644 --- a/vql/server/delete.go +++ b/vql/server/delete.go @@ -24,7 +24,7 @@ type DeleteClientArgs struct { type DeleteClientPlugin struct{} func (self *DeleteClientPlugin) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -160,7 +160,7 @@ func (self *DeleteClientPlugin) Call(ctx context.Context, } func (self DeleteClientPlugin) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "client_delete", Doc: "Delete all information related to a client. ", diff --git a/vql/server/downloads/downloads.go b/vql/server/downloads/downloads.go index dafe09f9b66..ab57366e06a 100644 --- a/vql/server/downloads/downloads.go +++ b/vql/server/downloads/downloads.go @@ -41,7 +41,7 @@ type CreateFlowDownloadArgs struct { type CreateFlowDownload struct{} func (self *CreateFlowDownload) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &CreateFlowDownloadArgs{} @@ -93,7 +93,7 @@ func (self *CreateFlowDownload) Call(ctx context.Context, return vfilter.Null{} } -func (self CreateFlowDownload) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self CreateFlowDownload) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "create_flow_download", Doc: "Creates a download pack for the flow.", @@ -112,7 +112,7 @@ type CreateHuntDownloadArgs struct { type CreateHuntDownload struct{} func (self *CreateHuntDownload) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &CreateHuntDownloadArgs{} @@ -164,7 +164,7 @@ func (self *CreateHuntDownload) Call(ctx context.Context, return result } -func (self CreateHuntDownload) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self CreateHuntDownload) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "create_hunt_download", Doc: "Creates a download pack for a hunt.", @@ -368,7 +368,7 @@ func downloadFlowToZip( func createHuntDownloadFile( ctx context.Context, config_obj *config_proto.Config, - scope *vfilter.Scope, + scope vfilter.Scope, hunt_id string, write_json, write_csv bool, wait, only_combined bool, @@ -588,7 +588,7 @@ func createHuntDownloadFile( func StoreVQLAsCSVAndJsonFile( ctx context.Context, config_obj *config_proto.Config, - scope *vfilter.Scope, + scope vfilter.Scope, query string, write_csv bool, write_json bool, diff --git a/vql/server/downloads/reporting.go b/vql/server/downloads/reporting.go index a58f645247d..22cc42f3e4e 100644 --- a/vql/server/downloads/reporting.go +++ b/vql/server/downloads/reporting.go @@ -43,7 +43,7 @@ func getHTMLTemplate( func WriteFlowReport( config_obj *config_proto.Config, - scope *vfilter.Scope, + scope vfilter.Scope, repository services.Repository, writer io.Writer, flow_id, client_id, template string) error { @@ -133,7 +133,7 @@ func WriteFlowReport( func CreateFlowReport( config_obj *config_proto.Config, - scope *vfilter.Scope, + scope vfilter.Scope, flow_id, client_id, template string, wait bool) (string, error) { diff --git a/vql/server/elastic.go b/vql/server/elastic.go index a752f2033ba..77f72c886ea 100644 --- a/vql/server/elastic.go +++ b/vql/server/elastic.go @@ -71,7 +71,7 @@ type _ElasticPluginArgs struct { type _ElasticPlugin struct{} func (self _ElasticPlugin) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -124,7 +124,7 @@ func (self _ElasticPlugin) Call(ctx context.Context, // Copy rows from row_chan to a local buffer and push it up to elastic. func upload_rows( ctx context.Context, - scope *vfilter.Scope, output_chan chan vfilter.Row, + scope vfilter.Scope, output_chan chan vfilter.Row, row_chan <-chan vfilter.Row, id int64, wg *sync.WaitGroup, @@ -191,7 +191,7 @@ func upload_rows( func append_row_to_buffer( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, row vfilter.Row, id int64, buf *bytes.Buffer, arg *_ElasticPluginArgs) error { @@ -225,7 +225,7 @@ func append_row_to_buffer( func send_to_elastic( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, output_chan chan vfilter.Row, client *elasticsearch.Client, buf *bytes.Buffer) { b := buf.Bytes() @@ -265,7 +265,7 @@ func sanitize_index(name string) string { } func (self _ElasticPlugin) Info( - scope *vfilter.Scope, + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "elastic_upload", diff --git a/vql/server/event_monitoring.go b/vql/server/event_monitoring.go index 38f0dec73e1..ec41dafca5d 100644 --- a/vql/server/event_monitoring.go +++ b/vql/server/event_monitoring.go @@ -21,7 +21,7 @@ type GetClientMonitoring struct{} func (self GetClientMonitoring) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.SERVER_ADMIN) @@ -46,7 +46,7 @@ func (self GetClientMonitoring) Call( return services.ClientEventManager().GetClientMonitoringState() } -func (self GetClientMonitoring) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self GetClientMonitoring) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "get_client_monitoring", Doc: "Retrieve the current client monitoring state.", @@ -62,7 +62,7 @@ type SetClientMonitoring struct{} func (self SetClientMonitoring) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.SERVER_ADMIN) @@ -117,7 +117,7 @@ func (self SetClientMonitoring) Call( return value } -func (self SetClientMonitoring) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self SetClientMonitoring) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "set_client_monitoring", Doc: "Sets the current client monitoring state.", @@ -131,7 +131,7 @@ type GetServerMonitoring struct{} func (self GetServerMonitoring) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.SERVER_ADMIN) @@ -172,7 +172,7 @@ func (self GetServerMonitoring) Call( return result } -func (self GetServerMonitoring) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self GetServerMonitoring) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "get_server_monitoring", Doc: "Retrieve the current client monitoring state.", @@ -188,7 +188,7 @@ type SetServerMonitoring struct{} func (self SetServerMonitoring) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.SERVER_ADMIN) @@ -249,7 +249,7 @@ func (self SetServerMonitoring) Call( return response } -func (self SetServerMonitoring) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self SetServerMonitoring) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "set_server_monitoring", Doc: "Sets the current server monitoring state.", diff --git a/vql/server/file_store.go b/vql/server/file_store.go index ce24ca5d970..912e00aa921 100644 --- a/vql/server/file_store.go +++ b/vql/server/file_store.go @@ -39,7 +39,7 @@ type DeleteFileStoreArgs struct { type DeleteFileStore struct{} func (self *DeleteFileStore) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &DeleteFileStoreArgs{} @@ -80,7 +80,7 @@ func (self *DeleteFileStore) Call(ctx context.Context, return arg.VFSPath } -func (self DeleteFileStore) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self DeleteFileStore) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "file_store_delete", Doc: "Delete file store paths into full filesystem paths. ", @@ -95,7 +95,7 @@ type FileStoreArgs struct { type FileStore struct{} func (self *FileStore) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &FileStoreArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -121,7 +121,7 @@ func (self *FileStore) Call(ctx context.Context, return result } -func (self FileStore) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self FileStore) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "file_store", Doc: "Resolves file store paths into full filesystem paths. ", diff --git a/vql/server/flows.go b/vql/server/flows.go index 5611a8efb2e..61336ef2b85 100644 --- a/vql/server/flows.go +++ b/vql/server/flows.go @@ -25,7 +25,7 @@ type FlowsPlugin struct{} func (self FlowsPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -96,7 +96,7 @@ func (self FlowsPlugin) Call( return output_chan } -func (self FlowsPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self FlowsPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "flows", Doc: "Retrieve the flows launched on each client.", @@ -107,7 +107,7 @@ func (self FlowsPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *v type CancelFlowFunction struct{} func (self *CancelFlowFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &FlowsPluginArgs{} @@ -144,7 +144,7 @@ func (self *CancelFlowFunction) Call(ctx context.Context, return json.ConvertProtoToOrderedDict(res) } -func (self CancelFlowFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self CancelFlowFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "cancel_flow", Doc: "Cancels the flow.", @@ -156,7 +156,7 @@ type EnumerateFlowPlugin struct{} func (self EnumerateFlowPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -244,7 +244,7 @@ func (self EnumerateFlowPlugin) Call( return output_chan } -func (self EnumerateFlowPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self EnumerateFlowPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "enumerate_flow", Doc: "Enumerate all the files that make up a flow.", diff --git a/vql/server/hunts/create.go b/vql/server/hunts/create.go index 5763d5ec8a0..2cdfdeb1da4 100644 --- a/vql/server/hunts/create.go +++ b/vql/server/hunts/create.go @@ -44,7 +44,7 @@ type ScheduleHuntFunctionArg struct { type ScheduleHuntFunction struct{} func (self *ScheduleHuntFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.COLLECT_CLIENT) @@ -108,7 +108,7 @@ func (self *ScheduleHuntFunction) Call(ctx context.Context, return ordereddict.NewDict().Set("HuntId", hunt_id) } -func (self ScheduleHuntFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self ScheduleHuntFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "hunt", Doc: "Launch an artifact collection against a client.", @@ -124,7 +124,7 @@ type AddToHuntFunctionArg struct { type AddToHuntFunction struct{} func (self *AddToHuntFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.COLLECT_CLIENT) @@ -166,7 +166,7 @@ func (self *AddToHuntFunction) Call(ctx context.Context, return arg.ClientId } -func (self AddToHuntFunction) Info(scope *vfilter.Scope, +func (self AddToHuntFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "hunt_add", diff --git a/vql/server/hunts/hunts.go b/vql/server/hunts/hunts.go index a94a0ceca8f..ff56fc35f7b 100644 --- a/vql/server/hunts/hunts.go +++ b/vql/server/hunts/hunts.go @@ -49,7 +49,7 @@ type HuntsPlugin struct{} func (self HuntsPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) go func() { @@ -124,7 +124,7 @@ func (self HuntsPlugin) Call( return output_chan } -func (self HuntsPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self HuntsPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "hunts", Doc: "Retrieve the list of hunts.", @@ -143,7 +143,7 @@ type HuntResultsPlugin struct{} func (self HuntResultsPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -284,7 +284,7 @@ func (self HuntResultsPlugin) Call( return output_chan } -func (self HuntResultsPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self HuntResultsPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "hunt_results", Doc: "Retrieve the results of a hunt.", @@ -302,7 +302,7 @@ type HuntFlowsPlugin struct{} func (self HuntFlowsPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) go func() { @@ -376,7 +376,7 @@ func (self HuntFlowsPlugin) Call( return output_chan } -func (self HuntFlowsPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self HuntFlowsPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "hunt_flows", Doc: "Retrieve the flows launched by a hunt.", diff --git a/vql/server/inventory.go b/vql/server/inventory.go index e2a850ae932..939b5be657d 100644 --- a/vql/server/inventory.go +++ b/vql/server/inventory.go @@ -34,7 +34,7 @@ type InventoryAddFunctionArgs struct { type InventoryAddFunction struct{} func (self *InventoryAddFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &InventoryAddFunctionArgs{} @@ -121,7 +121,7 @@ func (self *InventoryAddFunction) Call(ctx context.Context, } func (self *InventoryAddFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "inventory_add", Doc: "Add tool to ThirdParty inventory.", @@ -136,7 +136,7 @@ type InventoryGetFunctionArgs struct { type InventoryGetFunction struct{} func (self *InventoryGetFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &InventoryGetFunctionArgs{} @@ -177,7 +177,7 @@ func (self *InventoryGetFunction) Call(ctx context.Context, } func (self *InventoryGetFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "inventory_get", Doc: "Get tool info from inventory service.", @@ -191,7 +191,7 @@ type InventoryPlugin struct{} func (self InventoryPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -211,7 +211,7 @@ func (self InventoryPlugin) Call( return output_chan } -func (self InventoryPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self InventoryPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "inventory", Doc: "Retrieve the tools inventory.", diff --git a/vql/server/kill.go b/vql/server/kill.go index a93ceca1294..98942241106 100644 --- a/vql/server/kill.go +++ b/vql/server/kill.go @@ -28,7 +28,7 @@ type KillClientFunctionArgs struct { type KillClientFunction struct{} func (self *KillClientFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.MACHINE_STATE) @@ -78,7 +78,7 @@ func (self *KillClientFunction) Call(ctx context.Context, } func (self KillClientFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "killkillkill", Doc: "Kills the client and forces a restart - this is very aggresive!", diff --git a/vql/server/labels.go b/vql/server/labels.go index 2a74e469965..88e26db9bb7 100644 --- a/vql/server/labels.go +++ b/vql/server/labels.go @@ -38,7 +38,7 @@ type AddLabelsArgs struct { type AddLabels struct{} func (self *AddLabels) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &AddLabelsArgs{} @@ -82,7 +82,7 @@ func (self *AddLabels) Call(ctx context.Context, return arg } -func (self AddLabels) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self AddLabels) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "label", Doc: "Add the labels to the client. " + diff --git a/vql/server/monitoring.go b/vql/server/monitoring.go index b77ed2912ff..69081b4100d 100644 --- a/vql/server/monitoring.go +++ b/vql/server/monitoring.go @@ -36,7 +36,7 @@ type MonitoringPlugin struct{} func (self MonitoringPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -84,7 +84,7 @@ func (self MonitoringPlugin) Call( return output_chan } -func (self MonitoringPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self MonitoringPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "monitoring", Doc: "Extract monitoring log from a client. If client_id is not specified " + @@ -103,7 +103,7 @@ type WatchMonitoringPlugin struct{} func (self WatchMonitoringPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -171,7 +171,7 @@ func (self WatchMonitoringPlugin) Call( return output_chan } -func (self WatchMonitoringPlugin) Info(scope *vfilter.Scope, +func (self WatchMonitoringPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "watch_monitoring", diff --git a/vql/server/notebooks/delete.go b/vql/server/notebooks/delete.go index 72f21fbb72d..68d84fd8987 100644 --- a/vql/server/notebooks/delete.go +++ b/vql/server/notebooks/delete.go @@ -21,7 +21,7 @@ type DeleteNotebookArgs struct { type DeleteNotebookPlugin struct{} func (self *DeleteNotebookPlugin) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -126,7 +126,7 @@ func (self *DeleteNotebookPlugin) Call(ctx context.Context, } func (self DeleteNotebookPlugin) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "notebook_delete", Doc: "Delete a notebook with all its cells. ", diff --git a/vql/server/parallel.go b/vql/server/parallel.go index 9b9a18fe6b3..68629878dbb 100644 --- a/vql/server/parallel.go +++ b/vql/server/parallel.go @@ -59,7 +59,7 @@ type ParallelPlugin struct{} func (self ParallelPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -121,7 +121,7 @@ func (self ParallelPlugin) Call( } func (self ParallelPlugin) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "parallelize", Doc: "Runs query on result batches in parallel.", diff --git a/vql/server/repository.go b/vql/server/repository.go index 289546579e3..6082ae3d2a5 100644 --- a/vql/server/repository.go +++ b/vql/server/repository.go @@ -21,7 +21,7 @@ type ArtifactSetFunctionArgs struct { type ArtifactSetFunction struct{} func (self *ArtifactSetFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &ArtifactSetFunctionArgs{} @@ -88,7 +88,7 @@ func (self *ArtifactSetFunction) Call(ctx context.Context, } func (self ArtifactSetFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "artifact_set", Doc: "Sets an artifact into the global repository.", @@ -103,7 +103,7 @@ type ArtifactDeleteFunctionArgs struct { type ArtifactDeleteFunction struct{} func (self *ArtifactDeleteFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &ArtifactDeleteFunctionArgs{} @@ -171,7 +171,7 @@ func (self *ArtifactDeleteFunction) Call(ctx context.Context, } func (self ArtifactDeleteFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "artifact_delete", Doc: "Deletes an artifact from the global repository.", @@ -189,7 +189,7 @@ type ArtifactsPlugin struct{} func (self ArtifactsPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) go func() { @@ -269,7 +269,7 @@ func (self ArtifactsPlugin) Call( return output_chan } -func (self ArtifactsPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ArtifactsPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "artifact_definitions", Doc: "Dump artifact definitions.", diff --git a/vql/server/results.go b/vql/server/results.go index 4e956fbbe9e..530e439a1c6 100644 --- a/vql/server/results.go +++ b/vql/server/results.go @@ -49,7 +49,7 @@ type UploadsPlugins struct{} func (self UploadsPlugins) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -98,7 +98,7 @@ func (self UploadsPlugins) Call( } func (self UploadsPlugins) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "uploads", Doc: "Retrieve information about a flow's uploads.", @@ -147,7 +147,7 @@ type SourcePlugin struct{} func (self SourcePlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -234,7 +234,7 @@ func (self SourcePlugin) Call( } func (self SourcePlugin) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "source", Doc: "Retrieve rows from stored result sets. This is a one stop show for retrieving stored result set for post processing.", @@ -347,7 +347,7 @@ func getResultSetReader( } // Override SourcePluginArgs from the scope. -func ParseSourceArgsFromScope(arg *SourcePluginArgs, scope *vfilter.Scope) { +func ParseSourceArgsFromScope(arg *SourcePluginArgs, scope vfilter.Scope) { client_id, pres := scope.Resolve("ClientId") if pres { arg.ClientId, _ = client_id.(string) @@ -415,7 +415,7 @@ type FlowResultsPlugin struct{} func (self FlowResultsPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) go func() { @@ -485,7 +485,7 @@ func (self FlowResultsPlugin) Call( return output_chan } -func (self FlowResultsPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self FlowResultsPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "flow_results", Doc: "Retrieve the results of a flow.", diff --git a/vql/server/search.go b/vql/server/search.go index 4bfea062cde..eae516ee781 100644 --- a/vql/server/search.go +++ b/vql/server/search.go @@ -76,7 +76,7 @@ type SearchPlugin struct{} func (self SearchPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -125,7 +125,7 @@ func (self SearchPlugin) Call( return output_chan } -func (self SearchPlugin) Info(scope *vfilter.Scope, +func (self SearchPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "search", diff --git a/vql/server/splunk.go b/vql/server/splunk.go index a9cd2f242e1..818613db97b 100644 --- a/vql/server/splunk.go +++ b/vql/server/splunk.go @@ -53,7 +53,7 @@ type _SplunkPluginArgs struct { type _SplunkPlugin struct{} func (self _SplunkPlugin) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -109,7 +109,7 @@ func (self _SplunkPlugin) Call(ctx context.Context, // Copy rows from row_chan to a local buffer and push it up to splunk. func _upload_rows( ctx context.Context, - scope *vfilter.Scope, output_chan chan vfilter.Row, + scope vfilter.Scope, output_chan chan vfilter.Row, row_chan <-chan vfilter.Row, wg *sync.WaitGroup, arg *_SplunkPluginArgs) { @@ -163,7 +163,7 @@ func _upload_rows( func send_to_splunk( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, output_chan chan vfilter.Row, client *splunk.Client, buf *[]vfilter.Row, arg *_SplunkPluginArgs) { @@ -211,7 +211,7 @@ func send_to_splunk( } func (self _SplunkPlugin) Info( - scope *vfilter.Scope, + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "splunk_upload", diff --git a/vql/server/stats.go b/vql/server/stats.go index 67041ae9ba9..3eb4dfdec48 100644 --- a/vql/server/stats.go +++ b/vql/server/stats.go @@ -4,10 +4,12 @@ package server import ( "context" + "fmt" "github.com/Velocidex/ordereddict" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" "www.velocidex.com/golang/vfilter" + "www.velocidex.com/golang/vfilter/types" ) type rateState struct { @@ -22,7 +24,7 @@ type _RateFunctionArgs struct { type _RateFunction struct{} -func (self _RateFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _RateFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "rate", Doc: "Calculates the rate (derivative) between two quantities.", @@ -30,9 +32,9 @@ func (self _RateFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) } } -func (self *_RateFunction) Call( +func (self _RateFunction) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &_RateFunctionArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -41,17 +43,15 @@ func (self *_RateFunction) Call( return vfilter.Null{} } - previous_value_any := scope.GetContext(vfilter.GetID(self)) - if previous_value_any == nil { - scope.SetContext( - vfilter.GetID(self), &rateState{x: arg.X, y: arg.Y}) + previous_value_any, pres := scope.GetContext(GetID(&self)) + if !pres { + scope.SetContext(GetID(&self), &rateState{x: arg.X, y: arg.Y}) return vfilter.Null{} } state := previous_value_any.(*rateState) value := (arg.X - state.x) / (arg.Y - state.y) - scope.SetContext( - vfilter.GetID(self), &rateState{x: arg.X, y: arg.Y}) + scope.SetContext(GetID(&self), &rateState{x: arg.X, y: arg.Y}) return value } @@ -59,3 +59,8 @@ func (self *_RateFunction) Call( func init() { vql_subsystem.RegisterFunction(&_RateFunction{}) } + +// Returns a unique ID for the object. +func GetID(obj types.Any) string { + return fmt.Sprintf("%p", obj) +} diff --git a/vql/server/users.go b/vql/server/users.go index 04dbec858cf..3300ed1d1e9 100644 --- a/vql/server/users.go +++ b/vql/server/users.go @@ -15,7 +15,7 @@ type UsersPlugin struct{} func (self UsersPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) go func() { @@ -57,7 +57,7 @@ func (self UsersPlugin) Call( return output_chan } -func (self UsersPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self UsersPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "gui_users", Doc: "Retrieve the list of users on the server.", diff --git a/vql/tools/collector.go b/vql/tools/collector.go index f67f636ab5d..4541fd87799 100644 --- a/vql/tools/collector.go +++ b/vql/tools/collector.go @@ -39,7 +39,7 @@ type CollectPlugin struct{} func (self CollectPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -222,7 +222,7 @@ func (self CollectPlugin) Call( // when container is closed. func makeContainer( config_obj *config_proto.Config, - scope *vfilter.Scope, + scope vfilter.Scope, repository services.Repository, arg *CollectPluginArgs) ( container *reporting.Container, closer func(), err error) { @@ -354,7 +354,7 @@ func getRepository( return repository, nil } -func (self CollectPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self CollectPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "collect", Doc: "Collect artifacts into a local file.", @@ -367,7 +367,7 @@ func (self CollectPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) func getArtifactCollectorArgs( config_obj *config_proto.Config, repository services.Repository, - scope *vfilter.Scope, + scope vfilter.Scope, arg *CollectPluginArgs) (*flows_proto.ArtifactCollectorArgs, error) { request := &flows_proto.ArtifactCollectorArgs{ Artifacts: arg.Artifacts, @@ -386,7 +386,7 @@ func getArtifactCollectorArgs( func AddSpecProtobuf( config_obj *config_proto.Config, repository services.Repository, - scope *vfilter.Scope, spec vfilter.Any, request *flows_proto.ArtifactCollectorArgs) error { + scope vfilter.Scope, spec vfilter.Any, request *flows_proto.ArtifactCollectorArgs) error { var err error diff --git a/vql/tools/collector_test.go b/vql/tools/collector_test.go index c74d78cac98..9c368d5fffa 100644 --- a/vql/tools/collector_test.go +++ b/vql/tools/collector_test.go @@ -152,7 +152,7 @@ func (self *TestSuite) TearDownTest() { func (self *TestSuite) TestSimpleCollection() { scope := vql_subsystem.MakeScope() - scope.Logger = logging.NewPlainLogger(self.config_obj, &logging.FrontendComponent) + scope.SetLogger(logging.NewPlainLogger(self.config_obj, &logging.FrontendComponent)) repository, err := getRepository(self.config_obj, nil) assert.NoError(self.T(), err) diff --git a/vql/tools/gcs_upload.go b/vql/tools/gcs_upload.go index 62dc768d77f..cdd9154327a 100644 --- a/vql/tools/gcs_upload.go +++ b/vql/tools/gcs_upload.go @@ -32,7 +32,7 @@ type GCSUploadArgs struct { type GCSUploadFunction struct{} func (self *GCSUploadFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &GCSUploadArgs{} @@ -85,7 +85,7 @@ func (self *GCSUploadFunction) Call(ctx context.Context, return vfilter.Null{} } -func upload_gcs(ctx context.Context, scope *vfilter.Scope, +func upload_gcs(ctx context.Context, scope vfilter.Scope, reader io.Reader, projectID, bucket, name string, credentials string) ( @@ -155,7 +155,7 @@ func upload_gcs(ctx context.Context, scope *vfilter.Scope, } func (self GCSUploadFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "upload_gcs", Doc: "Upload files to GCS.", diff --git a/vql/tools/js.go b/vql/tools/js.go index 9fc583ad5be..2fd8464aa6a 100644 --- a/vql/tools/js.go +++ b/vql/tools/js.go @@ -20,7 +20,7 @@ type JSCompileArgs struct { Key string `vfilter:"optional,field=key,doc=If set use this key to cache the JS VM."` } -func logIfPanic(scope *vfilter.Scope) { +func logIfPanic(scope vfilter.Scope) { err := recover() if err == halt { return @@ -34,7 +34,7 @@ func logIfPanic(scope *vfilter.Scope) { type JSCompile struct{} func getVM(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, key string) *otto.Otto { if key == "" { key = "__jscontext" @@ -57,7 +57,7 @@ func getVM(ctx context.Context, } func (self *JSCompile) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &JSCompileArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -78,7 +78,7 @@ func (self *JSCompile) Call(ctx context.Context, return vfilter.Null{} } -func (self JSCompile) Info(scope *vfilter.Scope, +func (self JSCompile) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "js", @@ -96,7 +96,7 @@ type JSCallArgs struct { type JSCall struct{} func (self *JSCall) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &JSCallArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -136,7 +136,7 @@ func (self *JSCall) Call(ctx context.Context, return result } -func (self JSCall) Info(scope *vfilter.Scope, +func (self JSCall) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "js_call", @@ -154,7 +154,7 @@ type JSSetArgs struct { type JSSet struct{} func (self *JSSet) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &JSSetArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -191,7 +191,7 @@ func (self *JSSet) Call(ctx context.Context, return vfilter.Null{} } -func (self JSSet) Info(scope *vfilter.Scope, +func (self JSSet) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "js_set", @@ -208,7 +208,7 @@ type JSGetArgs struct { type JSGet struct{} func (self *JSGet) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &JSGetArgs{} err := vfilter.ExtractArgs(scope, args, arg) @@ -235,7 +235,7 @@ func (self *JSGet) Call(ctx context.Context, return value } -func (self JSGet) Info(scope *vfilter.Scope, +func (self JSGet) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "js_get", diff --git a/vql/tools/mocker.go b/vql/tools/mocker.go index f9606b83047..bc055c48fae 100644 --- a/vql/tools/mocker.go +++ b/vql/tools/mocker.go @@ -68,7 +68,7 @@ type MockerPlugin struct { } func (self MockerPlugin) Call(ctx context.Context, - scope *vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) go func() { defer close(output_chan) @@ -102,7 +102,7 @@ func (self MockerPlugin) Call(ctx context.Context, return output_chan } -func (self *MockerPlugin) Info(scope *vfilter.Scope, +func (self *MockerPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: self.name, @@ -123,7 +123,7 @@ type MockerFunction struct { } func (self *MockerFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { result := self.ctx.results[self.ctx.call_count%len(self.ctx.results)] @@ -132,7 +132,7 @@ func (self *MockerFunction) Call(ctx context.Context, return result } -func (self *MockerFunction) Info(scope *vfilter.Scope, +func (self *MockerFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: self.name, @@ -142,7 +142,7 @@ func (self *MockerFunction) Info(scope *vfilter.Scope, type MockFunction struct{} func (self *MockFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &MockerFunctionArgs{} @@ -211,7 +211,7 @@ func (self *MockFunction) Call(ctx context.Context, } func (self MockFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "mock", Doc: "Mock a plugin.", @@ -229,7 +229,7 @@ type MockCheckArgs struct { type MockCheckFunction struct{} func (self *MockCheckFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &MockCheckArgs{} @@ -283,7 +283,7 @@ func (self *MockCheckFunction) Call(ctx context.Context, } func (self MockCheckFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "mock_check", Doc: "Check expectations on a mock.", @@ -291,7 +291,7 @@ func (self MockCheckFunction) Info( } } -func GetMockContext(scope *vfilter.Scope) (*MockingScopeContext, bool) { +func GetMockContext(scope vfilter.Scope) (*MockingScopeContext, bool) { scope_mocker, pres := scope.Resolve(constants.SCOPE_MOCK) if !pres { return nil, false diff --git a/vql/tools/reporting.go b/vql/tools/reporting.go index 9325aaf11f0..bbaba2ffb0e 100644 --- a/vql/tools/reporting.go +++ b/vql/tools/reporting.go @@ -44,7 +44,7 @@ func produceReport( repository services.Repository, writer io.Writer, definitions []*artifacts_proto.Artifact, - scope *vfilter.Scope, + scope vfilter.Scope, arg *CollectPluginArgs) error { builder := services.ScopeBuilderFromScope(scope) @@ -137,7 +137,7 @@ type ArchiveSourcePlugin struct { func (self *ArchiveSourcePlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -176,7 +176,7 @@ func (self *ArchiveSourcePlugin) Call( } func (self ArchiveSourcePlugin) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "source", Doc: "Retrieve rows from stored result sets. This is a one stop show for retrieving stored result set for post processing.", @@ -184,7 +184,7 @@ func (self ArchiveSourcePlugin) Info( } } -func ParseSourceArgsFromScope(arg *SourcePluginArgs, scope *vfilter.Scope) { +func ParseSourceArgsFromScope(arg *SourcePluginArgs, scope vfilter.Scope) { artifact_name, pres := scope.Resolve("ArtifactName") if pres { arg.Artifact = artifact_name.(string) diff --git a/vql/tools/s3_upload.go b/vql/tools/s3_upload.go index 41b89450f5b..3ccb6b41a74 100644 --- a/vql/tools/s3_upload.go +++ b/vql/tools/s3_upload.go @@ -33,7 +33,7 @@ type S3UploadArgs struct { type S3UploadFunction struct{} func (self *S3UploadFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &S3UploadArgs{} @@ -99,7 +99,7 @@ func (self *S3UploadFunction) Call(ctx context.Context, return vfilter.Null{} } -func upload_S3(ctx context.Context, scope *vfilter.Scope, +func upload_S3(ctx context.Context, scope vfilter.Scope, reader glob.ReadSeekCloser, bucket, name string, credentialsKey string, @@ -169,7 +169,7 @@ func upload_S3(ctx context.Context, scope *vfilter.Scope, } func (self S3UploadFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "upload_s3", Doc: "Upload files to S3.", diff --git a/vql/tools/sftp_upload.go b/vql/tools/sftp_upload.go index 94b3411df41..ce5f16a2472 100644 --- a/vql/tools/sftp_upload.go +++ b/vql/tools/sftp_upload.go @@ -34,7 +34,7 @@ type SFTPUploadArgs struct { type SFTPUploadFunction struct{} func (self *SFTPUploadFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &SFTPUploadArgs{} @@ -112,7 +112,7 @@ func hostkeycallback(trustedkey string) ssh.HostKeyCallback { } } -func getSFTPClient(scope *vfilter.Scope, user string, privateKey string, endpoint string, hostKey string) (*sftp.Client, error) { +func getSFTPClient(scope vfilter.Scope, user string, privateKey string, endpoint string, hostKey string) (*sftp.Client, error) { cacheKey := fmt.Sprintf("%s %s", user, endpoint) client := vql_subsystem.CacheGet(scope, cacheKey) if client == nil { @@ -167,7 +167,7 @@ func getSFTPClient(scope *vfilter.Scope, user string, privateKey string, endpoin } } -func upload_SFTP(ctx context.Context, scope *vfilter.Scope, +func upload_SFTP(ctx context.Context, scope vfilter.Scope, reader io.Reader, user, path, name string, privateKey string, endpoint string, hostKey string) ( @@ -210,7 +210,7 @@ func upload_SFTP(ctx context.Context, scope *vfilter.Scope, } func (self SFTPUploadFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "upload_sftp", Doc: "Upload files to SFTP.", diff --git a/vql/tools/webdav_upload.go b/vql/tools/webdav_upload.go index 0cd24831863..34abfb94189 100644 --- a/vql/tools/webdav_upload.go +++ b/vql/tools/webdav_upload.go @@ -4,13 +4,14 @@ package tools import ( "context" - "github.com/Velocidex/ordereddict" "io" "net" "net/http" "net/url" "path" "time" + + "github.com/Velocidex/ordereddict" "www.velocidex.com/golang/velociraptor/file_store/api" "www.velocidex.com/golang/velociraptor/glob" vql_subsystem "www.velocidex.com/golang/velociraptor/vql" @@ -29,7 +30,7 @@ type WebDAVUploadArgs struct { type WebDAVUploadFunction struct{} func (self *WebDAVUploadFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { arg := &WebDAVUploadArgs{} @@ -87,7 +88,7 @@ func (self *WebDAVUploadFunction) Call(ctx context.Context, return vfilter.Null{} } -func upload_webdav(ctx context.Context, scope *vfilter.Scope, +func upload_webdav(ctx context.Context, scope vfilter.Scope, reader io.Reader, contentLength int64, name string, webdavUrl string, basicAuthUser string, basicAuthPassword string) ( @@ -139,7 +140,7 @@ func upload_webdav(ctx context.Context, scope *vfilter.Scope, } func (self WebDAVUploadFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "upload_webdav", Doc: "Upload files to a WebDAV server.", diff --git a/vql/utils.go b/vql/utils.go index 25b993ad7cd..e1e595ed80e 100644 --- a/vql/utils.go +++ b/vql/utils.go @@ -26,7 +26,7 @@ import ( // GetStringFromRow gets a string value from row. If it is not there // or not a string return "" -func GetStringFromRow(scope *vfilter.Scope, +func GetStringFromRow(scope vfilter.Scope, row vfilter.Row, key string) string { value, pres := scope.Associative(row, key) if pres { @@ -40,7 +40,7 @@ func GetStringFromRow(scope *vfilter.Scope, // GetIntFromRow gets a uint64 value from row. If it is not there // or not a string return 0. Floats etc are coerced to uint64. -func GetIntFromRow(scope *vfilter.Scope, +func GetIntFromRow(scope vfilter.Scope, row vfilter.Row, key string) uint64 { value, pres := scope.Associative(row, key) if pres { @@ -71,7 +71,7 @@ func GetIntFromRow(scope *vfilter.Scope, // A writer which periodically reports how much has been // written. Useful for tee with another writer. type LogWriter struct { - Scope *vfilter.Scope + Scope vfilter.Scope Message string Period time.Duration @@ -93,7 +93,7 @@ func (self *LogWriter) Write(buff []byte) (int, error) { return len(buff), nil } -func CheckForPanic(scope *vfilter.Scope, msg string, vals ...interface{}) { +func CheckForPanic(scope vfilter.Scope, msg string, vals ...interface{}) { r := recover() if r != nil { scope.Log(msg, vals...) diff --git a/vql/vql.go b/vql/vql.go index 0506f9324c7..474710f8af0 100755 --- a/vql/vql.go +++ b/vql/vql.go @@ -85,10 +85,10 @@ var ( // Instead of building the scope from scratch each time, use a // global scope and prepare any other scopes from it. - globalScope *vfilter.Scope + globalScope vfilter.Scope ) -func _makeRootScope() *vfilter.Scope { +func _makeRootScope() vfilter.Scope { mu.Lock() defer mu.Unlock() @@ -99,14 +99,14 @@ func _makeRootScope() *vfilter.Scope { return globalScope.NewScope() } -func MakeScope() *vfilter.Scope { +func MakeScope() vfilter.Scope { return _makeRootScope() } -func GetRootScope(scope *vfilter.Scope) *vfilter.Scope { +func GetRootScope(scope vfilter.Scope) vfilter.Scope { root_any, pres := scope.Resolve(constants.SCOPE_ROOT) if pres { - root, ok := root_any.(*vfilter.Scope) + root, ok := root_any.(vfilter.Scope) if ok { return root } @@ -116,7 +116,7 @@ func GetRootScope(scope *vfilter.Scope) *vfilter.Scope { // MakeNewScope makes a new scope from scratch. You do not need to use // this! use MakeScope() above which is much faster. -func MakeNewScope() *vfilter.Scope { +func MakeNewScope() vfilter.Scope { scopeCounter.Inc() result := vfilter.NewScope() diff --git a/vql/windows/authenticode/authenticode.go b/vql/windows/authenticode/authenticode.go index 19afef39ad6..33f11a26526 100644 --- a/vql/windows/authenticode/authenticode.go +++ b/vql/windows/authenticode/authenticode.go @@ -45,7 +45,7 @@ type AuthenticodeArgs struct { type AuthenticodeFunction struct{} func (self *AuthenticodeFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.MACHINE_STATE) @@ -90,7 +90,7 @@ func (self *AuthenticodeFunction) Call(ctx context.Context, } func (self AuthenticodeFunction) Info( - scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "authenticode", Doc: "This plugin uses the Windows API to extract authenticode " + diff --git a/vql/windows/crypto.go b/vql/windows/crypto.go index 6dbe0f9d463..51c7cf0a52d 100644 --- a/vql/windows/crypto.go +++ b/vql/windows/crypto.go @@ -151,7 +151,7 @@ func (self *CertContext) HexSerialNumber() string { return self.SerialNumber.Text(16) } -func runCertificates(scope *vfilter.Scope, +func runCertificates(scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row diff --git a/vql/windows/dns/dns.go b/vql/windows/dns/dns.go index 27e06143d5c..6c6f1cd1d20 100644 --- a/vql/windows/dns/dns.go +++ b/vql/windows/dns/dns.go @@ -69,7 +69,7 @@ func inet_ntoa(ip [4]byte) string { type eventContext struct { output chan vfilter.Row - scope *vfilter.Scope + scope vfilter.Scope } func (self *eventContext) ProcessEvent(packet []byte) { @@ -170,7 +170,7 @@ type DNSEventPlugin struct{} func (self DNSEventPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) arg := &DNSEventPluginArgs{} @@ -239,7 +239,7 @@ func (self DNSEventPlugin) Call( } func (self DNSEventPlugin) Info( - scope *vfilter.Scope, + scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "dns", diff --git a/vql/windows/etw/watch.go b/vql/windows/etw/watch.go index 3aab5523b44..e37900ebecd 100644 --- a/vql/windows/etw/watch.go +++ b/vql/windows/etw/watch.go @@ -21,7 +21,7 @@ type WatchETWPlugin struct{} func (self WatchETWPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -107,7 +107,7 @@ func (self WatchETWPlugin) Call( } -func (self WatchETWPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self WatchETWPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "watch_etw", Doc: "Watch for events from an ETW provider.", diff --git a/vql/windows/filesystems/auto_windows.go b/vql/windows/filesystems/auto_windows.go index 86d9f9159e7..74d4fde5451 100644 --- a/vql/windows/filesystems/auto_windows.go +++ b/vql/windows/filesystems/auto_windows.go @@ -13,7 +13,7 @@ type AutoFilesystemAccessor struct { file_delegate glob.FileSystemAccessor } -func (self AutoFilesystemAccessor) New(scope *vfilter.Scope) (glob.FileSystemAccessor, error) { +func (self AutoFilesystemAccessor) New(scope vfilter.Scope) (glob.FileSystemAccessor, error) { ntfs_base, err := NTFSFileSystemAccessor{}.New(scope) if err != nil { return nil, err diff --git a/vql/windows/filesystems/mft_windows.go b/vql/windows/filesystems/mft_windows.go index 2cc8f38e957..2b27e4d5b85 100644 --- a/vql/windows/filesystems/mft_windows.go +++ b/vql/windows/filesystems/mft_windows.go @@ -37,7 +37,7 @@ type MFTFileSystemAccessor struct { *NTFSFileSystemAccessor } -func (self MFTFileSystemAccessor) New(scope *vfilter.Scope) (glob.FileSystemAccessor, error) { +func (self MFTFileSystemAccessor) New(scope vfilter.Scope) (glob.FileSystemAccessor, error) { ntfs_accessor, err := NTFSFileSystemAccessor{}.New(scope) if err != nil { return nil, err diff --git a/vql/windows/filesystems/ntfs_lazy_windows.go b/vql/windows/filesystems/ntfs_lazy_windows.go index 95c14534f4f..d3f647bb0d4 100644 --- a/vql/windows/filesystems/ntfs_lazy_windows.go +++ b/vql/windows/filesystems/ntfs_lazy_windows.go @@ -206,7 +206,7 @@ type LazyNTFSFileSystemAccessor struct { *NTFSFileSystemAccessor } -func (self LazyNTFSFileSystemAccessor) New(scope *vfilter.Scope) (glob.FileSystemAccessor, error) { +func (self LazyNTFSFileSystemAccessor) New(scope vfilter.Scope) (glob.FileSystemAccessor, error) { base, err := NTFSFileSystemAccessor{}.New(scope) if err != nil { return nil, err diff --git a/vql/windows/filesystems/ntfs_windows.go b/vql/windows/filesystems/ntfs_windows.go index 357b644800b..b6fda97e1ae 100644 --- a/vql/windows/filesystems/ntfs_windows.go +++ b/vql/windows/filesystems/ntfs_windows.go @@ -191,7 +191,7 @@ type NTFSFileSystemAccessor struct { timestamp time.Time // Protected by mutex } -func (self NTFSFileSystemAccessor) New(scope *vfilter.Scope) (glob.FileSystemAccessor, error) { +func (self NTFSFileSystemAccessor) New(scope vfilter.Scope) (glob.FileSystemAccessor, error) { result_any := vql_subsystem.CacheGet(scope, NTFSFileSystemTag) if result_any == nil { // Create a new cache in the scope. diff --git a/vql/windows/filesystems/os_windows.go b/vql/windows/filesystems/os_windows.go index 5a3db0d4832..1a127f5382f 100644 --- a/vql/windows/filesystems/os_windows.go +++ b/vql/windows/filesystems/os_windows.go @@ -146,7 +146,7 @@ type OSFileSystemAccessor struct { follow_links bool } -func (self OSFileSystemAccessor) New(scope *vfilter.Scope) (glob.FileSystemAccessor, error) { +func (self OSFileSystemAccessor) New(scope vfilter.Scope) (glob.FileSystemAccessor, error) { result := &OSFileSystemAccessor{follow_links: self.follow_links} return result, nil } diff --git a/vql/windows/filesystems/registry_windows.go b/vql/windows/filesystems/registry_windows.go index 13b3de75bcc..8b74f591594 100644 --- a/vql/windows/filesystems/registry_windows.go +++ b/vql/windows/filesystems/registry_windows.go @@ -179,7 +179,7 @@ func NewValueBuffer(buf []byte, stat glob.FileInfo) *ValueBuffer { type RegFileSystemAccessor struct{} -func (self *RegFileSystemAccessor) New(scope *vfilter.Scope) (glob.FileSystemAccessor, error) { +func (self *RegFileSystemAccessor) New(scope vfilter.Scope) (glob.FileSystemAccessor, error) { return self, nil } diff --git a/vql/windows/network.go b/vql/windows/network.go index 3deb5e04300..f9bdcaed877 100644 --- a/vql/windows/network.go +++ b/vql/windows/network.go @@ -108,7 +108,7 @@ func (self *ConnectionStat) TypeString() string { // The VQL WMI plugin. type NetstatArgs struct{} -func runNetstat(scope *vfilter.Scope, +func runNetstat(scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row diff --git a/vql/windows/process/dump.go b/vql/windows/process/dump.go index cf25ebbd4f9..97094e4d103 100644 --- a/vql/windows/process/dump.go +++ b/vql/windows/process/dump.go @@ -44,7 +44,7 @@ type ProcDumpPlugin struct{} func (self ProcDumpPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) arg := &PidArgs{} @@ -108,7 +108,7 @@ func (self ProcDumpPlugin) Call( return output_chan } -func (self ProcDumpPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ProcDumpPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "proc_dump", Doc: "Dumps process memory.", diff --git a/vql/windows/process/handles.go b/vql/windows/process/handles.go index a014a24ee52..c5307da8f98 100644 --- a/vql/windows/process/handles.go +++ b/vql/windows/process/handles.go @@ -64,7 +64,7 @@ type HandlesPlugin struct{} func (self HandlesPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -103,7 +103,7 @@ func (self HandlesPlugin) Call( return output_chan } -func (self HandlesPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self HandlesPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "handles", Doc: "Enumerate process handles.", @@ -153,7 +153,7 @@ func SaneNtQuerySystemInformation(class uint32) ([]byte, error) { return nil, errors.New("Too much memory needed") } -func GetHandles(scope *vfilter.Scope, arg *HandlesPluginArgs, out chan<- vfilter.Row) { +func GetHandles(scope vfilter.Scope, arg *HandlesPluginArgs, out chan<- vfilter.Row) { // This should be large enough to fit all the handles. buffer, err := SaneNtQuerySystemInformation(windows.SystemHandleInformation) if err != nil { @@ -233,7 +233,7 @@ func GetHandles(scope *vfilter.Scope, arg *HandlesPluginArgs, out chan<- vfilter } } -func SendHandleInfo(arg *HandlesPluginArgs, scope *vfilter.Scope, +func SendHandleInfo(arg *HandlesPluginArgs, scope vfilter.Scope, handle_info *windows.SYSTEM_HANDLE_TABLE_ENTRY_INFO64, handle syscall.Handle, out chan<- vfilter.Row) { @@ -279,7 +279,7 @@ func SendHandleInfo(arg *HandlesPluginArgs, scope *vfilter.Scope, } } -func GetTokenInfo(scope *vfilter.Scope, handle syscall.Handle) *TokenHandleInfo { +func GetTokenInfo(scope vfilter.Scope, handle syscall.Handle) *TokenHandleInfo { token := gowin.Token(handle) result := &TokenHandleInfo{ IsElevated: token.IsElevated(), @@ -317,22 +317,24 @@ func GetTokenInfo(scope *vfilter.Scope, handle syscall.Handle) *TokenHandleInfo return result } -func getUsernameFromSid(scope *vfilter.Scope, sid *gowin.SID) string { +func getUsernameFromSid(scope vfilter.Scope, sid *gowin.SID) string { key := sid.String() - username := vql_subsystem.CacheGet(scope, key) - if username != nil { - return username.(string) + username_any := vql_subsystem.CacheGet(scope, key) + if username_any != nil { + return username_any.(string) } + // Fetch the username from the API - if we fail the username is "" + username := "" account, domain, _, err := sid.LookupAccount("localhost") if err == nil && account != "" { username = fmt.Sprintf("%s\\%s", domain, account) } vql_subsystem.CacheSet(scope, key, username) - return username.(string) + return username } -func GetThreadInfo(scope *vfilter.Scope, handle syscall.Handle, result *HandleInfo) { +func GetThreadInfo(scope vfilter.Scope, handle syscall.Handle, result *HandleInfo) { handle_info := windows.THREAD_BASIC_INFORMATION{} var length uint32 @@ -363,7 +365,7 @@ func GetThreadInfo(scope *vfilter.Scope, handle syscall.Handle, result *HandleIn } } -func GetProcessName(scope *vfilter.Scope, handle syscall.Handle) *ProcessHandleInfo { +func GetProcessName(scope vfilter.Scope, handle syscall.Handle) *ProcessHandleInfo { buffer := make([]byte, 1024*2) handle_info := windows.PROCESS_BASIC_INFORMATION{} @@ -396,7 +398,7 @@ func GetProcessName(scope *vfilter.Scope, handle syscall.Handle) *ProcessHandleI return result } -func GetObjectName(scope *vfilter.Scope, handle syscall.Handle, result *HandleInfo) { +func GetObjectName(scope vfilter.Scope, handle syscall.Handle, result *HandleInfo) { buffer := make([]byte, 1024*2) var length uint32 @@ -411,7 +413,7 @@ func GetObjectName(scope *vfilter.Scope, handle syscall.Handle, result *HandleIn result.Name = (*windows.UNICODE_STRING)(unsafe.Pointer(&buffer[0])).String() } -func GetObjectType(handle syscall.Handle, scope *vfilter.Scope) string { +func GetObjectType(handle syscall.Handle, scope vfilter.Scope) string { buffer := make([]byte, 1024*10) length := uint32(0) status, _ := windows.NtQueryObject(handle, windows.ObjectTypeInformation, diff --git a/vql/windows/process/token.go b/vql/windows/process/token.go index b2ce9ea2039..1af99e9540f 100644 --- a/vql/windows/process/token.go +++ b/vql/windows/process/token.go @@ -22,7 +22,7 @@ type TokenFunction struct{} func (self TokenFunction) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.MACHINE_STATE) @@ -99,7 +99,7 @@ func (self TokenFunction) Call( return result } -func (self TokenFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self TokenFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "token", Doc: "Extract process token.", diff --git a/vql/windows/process/vad.go b/vql/windows/process/vad.go index a89646c48cb..09085c4f5c6 100644 --- a/vql/windows/process/vad.go +++ b/vql/windows/process/vad.go @@ -37,7 +37,7 @@ type ModulesPlugin struct{} func (self ModulesPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) arg := &PidArgs{} @@ -81,7 +81,7 @@ func (self ModulesPlugin) Call( return output_chan } -func (self ModulesPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self ModulesPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "modules", Doc: "Enumerate Loaded DLLs.", @@ -93,7 +93,7 @@ type VADPlugin struct{} func (self VADPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) arg := &PidArgs{} @@ -129,7 +129,7 @@ func (self VADPlugin) Call( return output_chan } -func (self VADPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self VADPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "vad", Doc: "Enumerate process memory regions.", diff --git a/vql/windows/process/winobj.go b/vql/windows/process/winobj.go index bcfbb4b8dcc..93b24afa54b 100644 --- a/vql/windows/process/winobj.go +++ b/vql/windows/process/winobj.go @@ -33,7 +33,7 @@ type WinObjPlugin struct{} func (self WinObjPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) @@ -68,7 +68,7 @@ func (self WinObjPlugin) Call( return output_chan } -func (self WinObjPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self WinObjPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "winobj", Doc: "Enumerate The Windows Object Manager namespace.", @@ -78,7 +78,7 @@ func (self WinObjPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) * // GetObjects recursively traverses the object manager directories. func GetObjects(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, path string, output_chan chan<- vfilter.Row, depth int) { @@ -148,7 +148,7 @@ func GetObjects(ctx context.Context, } // Encrich the WinObjDesc with additional information -func descObject(scope *vfilter.Scope, info *WinObjDesc) { +func descObject(scope vfilter.Scope, info *WinObjDesc) { switch info.Type { case "SymbolicLink": obj_attr := ntdll.NewObjectAttributes(info.Name, 0, 0, nil) diff --git a/vql/windows/processes.go b/vql/windows/processes.go index 6041278df09..c2b3ce6ea9e 100644 --- a/vql/windows/processes.go +++ b/vql/windows/processes.go @@ -160,7 +160,7 @@ type PslistPlugin struct{} func (self PslistPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) arg := &PslistArgs{} @@ -243,7 +243,7 @@ func (self PslistPlugin) Call( return output_chan } -func (self PslistPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self PslistPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "pslist", Doc: "Enumerate running processes.", diff --git a/vql/windows/registry.go b/vql/windows/registry.go index 9275f885c6d..6d8c37afaaf 100644 --- a/vql/windows/registry.go +++ b/vql/windows/registry.go @@ -40,7 +40,7 @@ type _ExpandPath struct{} func (self _ExpandPath) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.MACHINE_STATE) @@ -68,7 +68,7 @@ func (self _ExpandPath) Call( return expanded_path } -func (self _ExpandPath) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self _ExpandPath) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "expand", Doc: "Expand the path using the environment.", diff --git a/vql/windows/users.go b/vql/windows/users.go index dbdf0ec730d..eeb4af50a5f 100644 --- a/vql/windows/users.go +++ b/vql/windows/users.go @@ -101,7 +101,7 @@ func ParseUserRecord(a *USER_INFO_3) *UserRecord { } } -func getUsers(scope *vfilter.Scope, +func getUsers(scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row @@ -148,7 +148,7 @@ type LookupSidFunctionArgs struct { type LookupSidFunction struct{} func (self *LookupSidFunction) Call(ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) vfilter.Any { err := vql_subsystem.CheckAccess(scope, acls.MACHINE_STATE) @@ -186,7 +186,7 @@ func (self *LookupSidFunction) Call(ctx context.Context, return syscall.UTF16ToString(name) } -func (self *LookupSidFunction) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { +func (self *LookupSidFunction) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.FunctionInfo { return &vfilter.FunctionInfo{ Name: "lookupSID", Doc: "Get information about the SID.", diff --git a/vql/windows/wmi/events.go b/vql/windows/wmi/events.go index f737bc1b675..49cab30c4a8 100644 --- a/vql/windows/wmi/events.go +++ b/vql/windows/wmi/events.go @@ -65,7 +65,7 @@ func (self *WMIObject) Parse() (*ordereddict.Dict, error) { type eventQueryContext struct { output chan vfilter.Row - scope *vfilter.Scope + scope vfilter.Scope } // This is called to handle the serialized event string. We just send @@ -110,7 +110,7 @@ type WmiEventPlugin struct{} func (self WmiEventPlugin) Call( ctx context.Context, - scope *vfilter.Scope, + scope vfilter.Scope, args *ordereddict.Dict) <-chan vfilter.Row { output_chan := make(chan vfilter.Row) arg := &WmiEventPluginArgs{} @@ -180,7 +180,7 @@ func (self WmiEventPlugin) Call( return output_chan } -func (self WmiEventPlugin) Info(scope *vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { +func (self WmiEventPlugin) Info(scope vfilter.Scope, type_map *vfilter.TypeMap) *vfilter.PluginInfo { return &vfilter.PluginInfo{ Name: "wmi_events", Doc: "Executes an evented WMI queries asynchronously.", diff --git a/vql/windows/wmi/wmi.go b/vql/windows/wmi/wmi.go index a61746344ae..ec41b91a0e7 100644 --- a/vql/windows/wmi/wmi.go +++ b/vql/windows/wmi/wmi.go @@ -187,7 +187,7 @@ type WMIQueryArgs struct { Namespace string `vfilter:"optional,field=namespace,doc=The WMI namespace to use (ROOT/CIMV2)"` } -func runWMIQuery(scope *vfilter.Scope, +func runWMIQuery(scope vfilter.Scope, args *ordereddict.Dict) []vfilter.Row { var result []vfilter.Row