namespace tables {
#ifndef WIN32
fs::path kEtcHosts = "/etc/hosts";
#else
fs::path kEtcHosts = (getSystemRoot() / "system32\\drivers\\etc\\hosts");
fs::path kEtcHostsIcs = (getSystemRoot() / "system32\\drivers\\etc\\hosts.ics");
#endif
QueryData parseEtcHostsContent(const std::string& content) {
QueryData results;
for (const auto& _line : osquery::split(content, "\n")) {
auto line = split(_line);
if (line.size() == 0 || boost::starts_with(line[0], "#")) {
continue;
}
Row r;
r["address"] = line[0];
if (line.size() > 1) {
std::vector<std::string> hostnames;
for (size_t i = 1; i < line.size(); ++i) {
if (boost::starts_with(line[i], "#")) {
break;
}
hostnames.push_back(line[i]);
}
r["hostnames"] = boost::algorithm::join(hostnames, " ");
}
results.push_back(r);
}
return results;
}
QueryData genEtcHosts(QueryContext& context) {
std::string content;
QueryData qres = {};
if (readFile(kEtcHosts, content).ok()) {
qres = parseEtcHostsContent(content);
}
#ifdef WIN32
content.clear();
QueryData qres_ics = {};
if (readFile(kEtcHostsIcs, content).ok()) {
qres_ics = parseEtcHostsContent(content);
qres.insert(qres.end(), qres_ics.begin(), qres_ics.end());
}
#endif
return qres;
}
}
void GetSystemDriveGUID(Row& r) {
char buf[51] = {0};
auto sysRoot = getSystemRoot().root_name().string() + "\\";
if (GetVolumeNameForVolumeMountPoint(
sysRoot.c_str(), static_cast<LPSTR>(buf), 50)) {
r["device"] = SQL_TEXT(buf);
}
}
QueryData genKernelInfo(QueryContext& context) {
Row r;
GetKernelVersion(r);
GetBootArgs(r);
GetSystemDriveGUID(r);
r["path"] = SQL_TEXT(getSystemRoot().string() + "\\System32\\ntoskrnl.exe");
return {r};
}
namespace tables {
#ifndef WIN32
fs::path kEtcProtocols = "/etc/protocols";
#else
fs::path kEtcProtocols = (getSystemRoot() / "system32\\drivers\\etc\\protocol");
#endif
QueryData parseEtcProtocolsContent(const std::string& content) {
QueryData results;
for (const auto& line : osquery::split(content, "\n")) {
// Empty line or comment.
if (line.size() == 0 || boost::starts_with(line, "#")) {
continue;
}
// [0]: name protocol_number alias
// [1]: [comment part1]
// [2]: [comment part2]
// [n]: [comment partn]
auto protocol_comment = osquery::split(line, "#");
// [0]: name
// [1]: protocol_number
// [2]: alias
auto protocol_fields = osquery::split(protocol_comment[0]);
if (protocol_fields.size() < 2) {
continue;
}
Row r;
r["name"] = TEXT(protocol_fields[0]);
r["number"] = INTEGER(protocol_fields[1]);
if (protocol_fields.size() > 2) {
r["alias"] = TEXT(protocol_fields[2]);
}
// If there is a comment for the service.
if (protocol_comment.size() > 1) {
// Removes everything except the comment (parts of the comment).
protocol_comment.erase(protocol_comment.begin(),
protocol_comment.begin() + 1);
r["comment"] = TEXT(boost::algorithm::join(protocol_comment, " # "));
}
results.push_back(r);
}
return results;
}
QueryData genEtcProtocols(QueryContext& context) {
std::string content;
auto s = readFile(kEtcProtocols, content);
if (s.ok()) {
return parseEtcProtocolsContent(content);
} else {
TLOG << "Error reading " << kEtcProtocols << ": " << s.toString();
return {};
}
}
}
namespace tables {
std::string kNtKernelPath =
(getSystemRoot() / "System32\\ntoskrnl.exe").string();
void GetBootArgs(Row& r) {
QueryData regResults;
queryKey("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control",
regResults);
for (const auto& aKey : regResults) {
if (aKey.at("name") == "SystemStartOptions") {
r["arguments"] = SQL_TEXT(aKey.at("data"));
}
}
}
void GetSystemDriveGUID(Row& r) {
char buf[51] = {0};
auto sysRoot = getSystemRoot().root_name().string() + "\\";
if (GetVolumeNameForVolumeMountPoint(
sysRoot.c_str(), static_cast<LPSTR>(buf), 50)) {
r["device"] = SQL_TEXT(buf);
}
}
void GetKernelVersion(Row& r) {
unsigned int size = 0;
auto verSize = GetFileVersionInfoSize(kNtKernelPath.c_str(), nullptr);
if (verSize == 0) {
TLOG << "GetFileVersionInfoSize failed (" << GetLastError() << ")";
return;
}
auto verData = static_cast<LPSTR>(malloc(verSize));
if (!GetFileVersionInfo(kNtKernelPath.c_str(), 0, verSize, verData)) {
TLOG << "GetFileVersionInfo failed (" << GetLastError() << ")";
}
void* vptrVersionInfo = nullptr;
if (!VerQueryValue(verData, "\\", &vptrVersionInfo, &size)) {
TLOG << "GetFileVersionInfo failed (" << GetLastError() << ")";
}
auto lpVersionInfo = static_cast<VS_FIXEDFILEINFO*>(vptrVersionInfo);
if (size > 0) {
if (lpVersionInfo->dwSignature == 0xfeef04bd) {
auto majorMS = HIWORD(lpVersionInfo->dwProductVersionMS);
auto minorMS = LOWORD(lpVersionInfo->dwProductVersionMS);
auto majorLS = HIWORD(lpVersionInfo->dwProductVersionLS);
auto minorLS = LOWORD(lpVersionInfo->dwProductVersionLS);
r["version"] = SQL_TEXT(
std::to_string(majorMS) + "." + std::to_string(minorMS) + "." +
std::to_string(majorLS) + "." + std::to_string(minorLS));
} else {
TLOG << "Incorrect Version Signature (" << GetLastError() << ")";
}
} else {
TLOG << "No Version information (" << GetLastError() << ")";
}
free(verData);
}
QueryData genKernelInfo(QueryContext& context) {
Row r;
GetKernelVersion(r);
GetBootArgs(r);
GetSystemDriveGUID(r);
r["path"] = SQL_TEXT(getSystemRoot().string() + "\\System32\\ntoskrnl.exe");
return {r};
}
} // namespace tables