Update to latest SQLiteHunter (Velocidex#2901)

Includes new ESE based artifacts: - WebCacheV01 parsing - Windows Search Service - aka Windows.edb
scudette · Aug 27, 2023 · 9d77ac3 · 9d77ac3
1 parent 0184c86
commit 9d77ac3
Show file tree

Hide file tree

Showing 7 changed files with 182 additions and 16 deletions.
diff --git a/Makefile b/Makefile
@@ -93,7 +93,7 @@ SQLECmdSync:
 	python3 scripts/sqlecmd_convert.py ~/projects/SQLECmd/ ~/projects/KapeFiles/ artifacts/definitions/Generic/Collectors/SQLECmd.yaml
 
 SQLiteHunter:
-	cp ~/projects/SQLiteHunter/output/SQLiteHunter.yaml artifacts/definitions/Generic/Forensic/SQLiteHunter/
+	cp ~/projects/SQLiteHunter/output/SQLiteHunter.yaml artifacts/definitions/Generic/Forensic/SQLiteHunter.yaml
 
 # Do this after fetching the build artifacts with `gh run download <RunID>`
 UpdateCIArtifacts:

diff --git a/artifacts/definitions/Generic/Forensic/SQLiteHunter.yaml b/artifacts/definitions/Generic/Forensic/SQLiteHunter.yaml
diff --git a/artifacts/definitions/Windows/Forensics/UserAccessLogs.yaml b/artifacts/definitions/Windows/Forensics/UserAccessLogs.yaml
@@ -111,8 +111,8 @@ sources:
                })) AS Value
             FROM items(item={
                SELECT *, get(item=RoleLookup, field=RoleGuid).RoleName AS RoleName,
-                  format(format="%02x", args=Address) AS RawAddress,
-                  FormatAddress(Address=Address) AS Address
+                  Address AS RawAddress,
+                  FormatAddress(Address=unhex(string=Address)) AS Address
                FROM parse_ese(file=OSPath, table="CLIENTS")
             })
         }, column="Value")

diff --git a/go.mod b/go.mod
@@ -83,7 +83,7 @@ require (
 	golang.org/x/mod v0.10.0
 	golang.org/x/net v0.12.0
 	golang.org/x/sys v0.10.0
-	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
 	golang.org/x/time v0.3.0
 	google.golang.org/api v0.126.0
 	google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect
@@ -96,7 +96,7 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	howett.net/plist v1.0.0
 	www.velocidex.com/golang/evtx v0.2.1-0.20220404133451-1fdf8be7325e
-	www.velocidex.com/golang/go-ese v0.1.1-0.20220107095505-c38622559671
+	www.velocidex.com/golang/go-ese v0.1.1-0.20230821114411-ecb5494187ed
 	www.velocidex.com/golang/go-ntfs v0.1.2-0.20230815140127-6a3dd72bfbf1
 	www.velocidex.com/golang/go-pe v0.1.1-0.20230228112150-ef2eadf34bc3
 	www.velocidex.com/golang/go-prefetch v0.0.0-20220801101854-338dbe61982a
@@ -133,7 +133,7 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.2.0
 	software.sslmate.com/src/go-pkcs12 v0.2.0
-	www.velocidex.com/golang/vtypes v0.0.0-20220816192452-6a27ae078f12
+	www.velocidex.com/golang/vtypes v0.0.0-20230821104433-297db7c471d8
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -913,8 +913,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
-golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20170424234030-8be79e1e0910/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1229,8 +1229,8 @@ www.velocidex.com/golang/binparsergen v0.1.1-0.20220107080050-ae6122c5ed14 h1:ja
 www.velocidex.com/golang/binparsergen v0.1.1-0.20220107080050-ae6122c5ed14/go.mod h1:Q/J/huOyH6IlY2aShigY1CnZnw5EO0+FZJgnGEBrT5Q=
 www.velocidex.com/golang/evtx v0.2.1-0.20220404133451-1fdf8be7325e h1:AhcXPgNKhJFAWnPjX5Y7rngvhg3Bgt03yF41sA1S4uY=
 www.velocidex.com/golang/evtx v0.2.1-0.20220404133451-1fdf8be7325e/go.mod h1:ykEQ7AUF9AL+mfCefDmLwmZOnU2So6wM3qKM8xdsHhU=
-www.velocidex.com/golang/go-ese v0.1.1-0.20220107095505-c38622559671 h1:pfvo7NFo0eJj6Zr7d+4vMx/Zr2JriMMPEWRHUf1YjUw=
-www.velocidex.com/golang/go-ese v0.1.1-0.20220107095505-c38622559671/go.mod h1:qnzHyB9yD2khtYO+wf3ck9FQxX3wFhXeJHFBnuUIZcc=
+www.velocidex.com/golang/go-ese v0.1.1-0.20230821114411-ecb5494187ed h1:TY4zGUexVodrlOE7bmp2Vk+T09B8mGwBPhswUN0uNkk=
+www.velocidex.com/golang/go-ese v0.1.1-0.20230821114411-ecb5494187ed/go.mod h1:6fC9T6UGLbM7icuA0ugomU5HbFC5XA5I30zlWtZT8YE=
 www.velocidex.com/golang/go-ntfs v0.1.2-0.20230815140127-6a3dd72bfbf1 h1:6NMITYv1pi4tzmDcqB/enNUXKmS8dnTb72HBghqhnAM=
 www.velocidex.com/golang/go-ntfs v0.1.2-0.20230815140127-6a3dd72bfbf1/go.mod h1:itvbHQcnLdTVIDY6fI3lR0zeBwXwBYBdUFtswE0x1vc=
 www.velocidex.com/golang/go-pe v0.1.1-0.20220107093716-e91743c801de/go.mod h1:j9Xy8Z9wxzY2SCB8CqDkkoSzy+eUwevnOrRm/XM2q/A=
@@ -1245,5 +1245,5 @@ www.velocidex.com/golang/regparser v0.0.0-20221020153526-bbc758cbd18b/go.mod h1:
 www.velocidex.com/golang/vfilter v0.0.0-20220103082604-85bb38175cb7/go.mod h1:eEFMhAmoFHWGCKF39j+iOhTH8REpqBndc3OsdPsxqo8=
 www.velocidex.com/golang/vfilter v0.0.0-20230730233014-4610600570e4 h1:E67EKoKquZbAVH4e4m1CWneZUJ9mWP/C/BbzPtbMGAU=
 www.velocidex.com/golang/vfilter v0.0.0-20230730233014-4610600570e4/go.mod h1:4mDQuvnVu6oPvDu/rZm8eYXh0h8mM7j9CJpj1nRfu8g=
-www.velocidex.com/golang/vtypes v0.0.0-20220816192452-6a27ae078f12 h1:8azOLd/l6sPy1/ug03ueA7jLfsVwE1sI3oHg9q/nkqQ=
-www.velocidex.com/golang/vtypes v0.0.0-20220816192452-6a27ae078f12/go.mod h1:gpuRaiyhcuPmZYvI/zw+rjlDXklR2ORaLQBuzCXe84o=
+www.velocidex.com/golang/vtypes v0.0.0-20230821104433-297db7c471d8 h1:6Qv0c/DfkWlnctIU4jzbOXwEpRmYjq2FTcpKB3RP4yM=
+www.velocidex.com/golang/vtypes v0.0.0-20230821104433-297db7c471d8/go.mod h1:e+QxuKbAYLOz6oZ9+YUozmOzZjcx0Q8ptHT+8oLy3CU=
diff --git a/vql/parsers/csv/csv.go b/vql/parsers/csv/csv.go
@@ -26,6 +26,7 @@ import (
 	"github.com/Velocidex/ordereddict"
 	"www.velocidex.com/golang/velociraptor/accessors"
 	"www.velocidex.com/golang/velociraptor/acls"
+	"www.velocidex.com/golang/velociraptor/config"
 	"www.velocidex.com/golang/velociraptor/file_store/csv"
 	"www.velocidex.com/golang/velociraptor/json"
 	"www.velocidex.com/golang/velociraptor/vql"
@@ -191,10 +192,16 @@ func (self _WatchCSVPlugin) Call(
 
 		event_channel := make(chan vfilter.Row)
 
+		config_obj, ok := vql_subsystem.GetServerConfig(scope)
+		if !ok {
+			config_obj = config.GetDefaultConfig()
+		}
+
 		// Register the output channel as a listener to the
 		// global event.
 		for _, filename := range arg.Filenames {
-			GlobalCSVService.Register(
+			watcher_service := NewCSVWatcherService(config_obj)
+			watcher_service.Register(
 				filename, arg.Accessor,
 				ctx, scope, event_channel)
 		}

diff --git a/vql/parsers/csv/watcher.go b/vql/parsers/csv/watcher.go
@@ -33,7 +33,7 @@ type CSVWatcherService struct {
 
 func NewCSVWatcherService(config_obj *config_proto.Config) *CSVWatcherService {
 	mu.Lock()
-	defer mu.Lock()
+	defer mu.Unlock()
 
 	if GlobalCSVService == nil {
 		GlobalCSVService = &CSVWatcherService{