0.72 sync

accessors/collector/collector.go

@@ -2,6 +2,7 @@ package collector
 
 import (
 	"errors"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
@@ -194,13 +195,13 @@ func (self *CollectorAccessor) maybeSetZipPassword(
 
 	buf, err := ioutil.ReadAll(mhandle)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Decoding metadata.json: %w", err)
 	}
 
 	rows := []*ordereddict.Dict{}
 	err = json.Unmarshal(buf, &rows)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Decoding metadata.json: %w", err)
 	}
 
 	// metadata.json can be multiple rows
@@ -226,12 +227,12 @@ func (self *CollectorAccessor) maybeSetZipPassword(
 
 			key, err := crypto_utils.GetPrivateKeyFromScope(self.scope)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("GetPrivateKeyFromScope: %w", err)
 			}
 
 			zip_pass, err := crypto_utils.Base64DecryptRSAOAEP(key, ep)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("Unable to extract zip password: %w", err)
 			}
 
 			self.scope.SetContext(constants.ZIP_PASSWORDS, string(zip_pass))
@@ -311,6 +312,7 @@ func (self *CollectorAccessor) OpenWithOSPath(
 	updated_full_path, err := self.maybeSetZipPassword(full_path)
 	if err != nil {
 		self.scope.Log(err.Error())
+		return nil, err
 	}
 
 	reader, err := self.ZipFileSystemAccessor.OpenWithOSPath(updated_full_path)

api/proxy.go

@@ -251,7 +251,9 @@ func GetAPIHandler(
 				username, ok := req.Context().Value(
 					constants.GRPC_USER_CONTEXT).(string)
 				if ok {
-					md["USER"] = username
+					// gRPC metadata can only contain ASCII so we make
+					// sure to escape if needed.
+					md["USER"] = utils.Quote(username)
 				}
 
 				return metadata.New(md)

api/tables/table.go

@@ -147,7 +147,7 @@ func getTable(
 
 	// Seek to the row we need.
 	err = rs_reader.SeekToRow(int64(in.StartRow))
-	if err == io.EOF {
+	if errors.Is(err, io.EOF) {
 		return result, nil
 	}
 
@@ -207,7 +207,7 @@ func getStackTable(
 
 	// Seek to the row we need.
 	err = rs_reader.SeekToRow(int64(in.StartRow))
-	if err == io.EOF {
+	if errors.Is(err, io.EOF) {
 		return result, nil
 	}
 

artifacts/definitions/Server/Utils/CreateCollector.yaml

@@ -17,6 +17,8 @@ parameters:
       - Windows_x86
       - Linux
       - MacOS
+      - MacOSArm
+      - Generic
 
   - name: artifacts
     description: A list of artifacts to collect
@@ -101,6 +103,11 @@ parameters:
       The filename to use. You can expand environment variables as
       well as the following %FQDN% and %TIMESTAMP%.
 
+  - name: opt_collector_filename
+    type: string
+    description: |
+      If used, this option overrides the default filename of the collector being built.
+
   - name: opt_cpu_limit
     default: "0"
     type: int
@@ -386,9 +393,8 @@ sources:
       LET Target <= tool_name[0].Type
 
       // This is what we will call it.
-      LET CollectorName <= format(
-          format='Collector_%v',
-          args=inventory_get(tool=Target).Definition.filename)
+      LET CollectorName <= opt_collector_filename ||
+          format(format='Collector_%v', args=inventory_get(tool=Target).Definition.filename)
 
       LET CollectionArtifact <= SELECT Value FROM switch(
         a = { SELECT CommonCollections + StandardCollection AS Value

artifacts/definitions/Server/Utils/CreateMSI.yaml

@@ -2,6 +2,13 @@ name: Server.Utils.CreateMSI
 description: |
   Build an MSI ready for deployment in the current org.
 
+  This artifact depends on the following tools:
+
+  * <velo-tool-viewer name="VelociraptorWindowsMSI" />
+  * <velo-tool-viewer name="VelociraptorWindows_x86MSI" />
+
+  You can replace those with suitable MSI builds.
+
 type: SERVER
 
 parameters:

artifacts/definitions/Windows/Memory/Acquisition.yaml

@@ -12,13 +12,18 @@ tools:
     github_asset_regex: winpmem_mini_x64.+exe
     serve_locally: true
 
-precondition: SELECT OS From info() where OS = 'windows' AND Architecture = "amd64"
+precondition: |
+  SELECT OS FROM info()
+  WHERE OS = 'windows'
+    AND Architecture = "amd64"
 
 sources:
   - query: |
+      LET Tempfile <= tempfile(extension=".raw")
+
       SELECT * FROM foreach(
           row={
-            SELECT OSPath, tempfile(extension=".raw", remove_last=TRUE) AS Tempfile
+            SELECT OSPath
             FROM Artifact.Generic.Utils.FetchBinary(ToolName="WinPmem64")
           },
           query={

bin/debug.go

@@ -291,10 +291,12 @@ func handleProfile(config_obj *config_proto.Config) func(w http.ResponseWriter,
 	}
 }
 
-func handleIndex(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+func handleIndex(config_obj *config_proto.Config) func(
+	w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 
-	w.Write([]byte(`
+		w.Write([]byte(`
 <html><body>
 <h1>Debug Server</h1>
 <ul>
@@ -304,14 +306,28 @@ func handleIndex(w http.ResponseWriter, r *http.Request) {
 <li><a href="/debug/profile/all/html">Show all profile items</a></li>
 `))
 
-	for _, i := range debug.GetProfileWriters() {
-		w.Write([]byte(fmt.Sprintf(`
+		if config_obj.Monitoring != nil && config_obj.GUI != nil {
+			metrics_url := config_obj.Monitoring.MetricsUrl
+			if metrics_url == "" {
+				metrics_url = fmt.Sprintf("http://%v:%v/metrics",
+					config_obj.Monitoring.BindAddress,
+					config_obj.Monitoring.BindPort)
+			}
+
+			w.Write([]byte(fmt.Sprintf(
+				"<li><a href=\"%s\">Metrics</a></li>\n",
+				url.QueryEscape(metrics_url))))
+		}
+
+		for _, i := range debug.GetProfileWriters() {
+			w.Write([]byte(fmt.Sprintf(`
 <li><a href="/debug/profile/%s/html">%s</a></li>`,
-			url.QueryEscape(i.Name),
-			html.EscapeString(i.Description))))
-	}
+				url.QueryEscape(i.Name),
+				html.EscapeString(i.Description))))
+		}
 
-	w.Write([]byte(`</body></html>`))
+		w.Write([]byte(`</body></html>`))
+	}
 }
 
 func initDebugServer(config_obj *config_proto.Config) error {
@@ -326,7 +342,7 @@ func initDebugServer(config_obj *config_proto.Config) error {
 			handleProfile(config_obj)))
 		http.HandleFunc("/debug/queries/running/",
 			maybeRenderHTML(handleRunningQueries))
-		http.HandleFunc("/", handleIndex)
+		http.HandleFunc("/", handleIndex(config_obj))
 
 		// Switch off the debug flag so we do not run this again. (The
 		// GUI runs this function multiple times).

bin/offline.go

@@ -62,6 +62,9 @@ OptTempdir:
 OptLevel: 5
 OptFilenameTemplate: "Collection-%FQDN%-%TIMESTAMP%"
 
+# What to call the collection binary. If empty we use an autogenerated name.
+OptCollectorTemplate: ""
+
 # Can be jsonl or csv
 OptFormat: jsonl
 
@@ -207,6 +210,7 @@ SELECT * FROM Artifact.Server.Utils.CreateCollector(
    opt_tempdir=Spec.OptTempdir,
    opt_level=Spec.OptLevel,
    opt_filename_template=Spec.OptFilenameTemplate,
+   opt_collector_filename=Spec.OptCollectorTemplate,
    opt_format=Spec.OptFormat,
    opt_output_directory=Spec.OptOutputDirectory,
    opt_cpu_limit=Spec.OptCpuLimit,

config/config.go

@@ -23,6 +23,8 @@ import (
 
 	"github.com/Velocidex/yaml/v2"
 	"github.com/go-errors/errors"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promauto"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
 	constants "www.velocidex.com/golang/velociraptor/constants"
 	"www.velocidex.com/golang/velociraptor/utils"
@@ -34,6 +36,11 @@ var (
 	build_time  string
 	commit_hash string
 	ci_run_url  string
+
+	versionCounter = promauto.NewCounterVec(prometheus.CounterOpts{
+		Name: "velociraptor_build",
+		Help: "Current version of running binary.",
+	}, []string{"commit_hash", "build_time"})
 )
 
 func GetVersion() *config_proto.Version {
@@ -210,3 +217,10 @@ func WriteConfigToFile(filename string, config *config_proto.Config) error {
 
 	return nil
 }
+
+func init() {
+	// Tag the metrics with a build time. This is useful in a cluster
+	// to see if all nodes are upgraded.
+	versionCounter.With(prometheus.Labels{
+		"commit_hash": commit_hash, "build_time": build_time}).Inc()
+}