void genFDEStatusForBSDName(const std::string& bsd_name, const std::string& uuid, QueryData& results) { auto matching_dict = IOBSDNameMatching(kIOMasterPortDefault, kNilOptions, bsd_name.c_str()); if (matching_dict == nullptr) { CFRelease(matching_dict); return; } auto service = IOServiceGetMatchingService(kIOMasterPortDefault, matching_dict); if (!service) { IOObjectRelease(service); return; } CFMutableDictionaryRef properties; IORegistryEntryCreateCFProperties( service, &properties, kCFAllocatorDefault, kNilOptions); Row r; r["name"] = kDeviceNamePrefix + bsd_name; r["uuid"] = uuid; auto encrypted = getIOKitProperty(properties, kCoreStorageIsEncryptedKey_); r["encrypted"] = (encrypted.empty()) ? "0" : encrypted; r["type"] = (r.at("encrypted") == "1") ? kEncryptionType : std::string(); results.push_back(r); CFRelease(properties); IOObjectRelease(service); }
void genPCIDevice(const io_service_t& device, QueryData& results) { Row r; // Get the device details CFMutableDictionaryRef details; IORegistryEntryCreateCFProperties( device, &details, kCFAllocatorDefault, kNilOptions); r["pci_slot"] = getIOKitProperty(details, "pcidebug"); std::vector<std::string> properties; auto compatible = getIOKitProperty(details, "compatible"); boost::trim(compatible); boost::split(properties, compatible, boost::is_any_of(" ")); if (properties.size() < 2) { VLOG(1) << "Error parsing IOKit compatible properties"; return; } size_t prop_index = 0; if (properties[1].find("pci") == 0 && properties[1].find("pciclass") != 0) { // There are two sets of PCI definitions. prop_index = 1; } else if (properties[0].find("pci") != 0) { VLOG(1) << "No vendor/model found"; return; } std::vector<std::string> vendor; boost::split(vendor, properties[prop_index++], boost::is_any_of(",")); r["vendor_id"] = vendor[0].substr(3); r["model_id"] = (vendor[1].size() == 3) ? "0" + vendor[1] : vendor[1]; if (properties[prop_index].find("pciclass") == 0) { // There is a class definition. r["pci_class"] = properties[prop_index++].substr(9); } if (properties.size() > prop_index) { // There is a driver/ID. r["driver"] = properties[prop_index]; } results.push_back(r); CFRelease(details); }
void genPCIDevice(const io_service_t& device, QueryData& results) { Row r; // Get the device details CFMutableDictionaryRef details; IORegistryEntryCreateCFProperties( device, &details, kCFAllocatorDefault, kNilOptions); r["pci_slot"] = getIOKitProperty(details, "pcidebug"); auto compatible = getIOKitProperty(details, "compatible"); auto properties = IOKitPCIProperties(compatible); r["vendor_id"] = properties.vendor_id; r["model_id"] = properties.model_id; r["pci_class"] = properties.pci_class; r["driver"] = properties.driver; results.push_back(r); CFRelease(details); }
QueryData genPlatformInfo(QueryContext& context) { auto rom = IORegistryEntryFromPath(kIOMasterPortDefault, "IODeviceTree:/rom"); if (rom == 0) { return {}; } CFMutableDictionaryRef details = nullptr; IORegistryEntryCreateCFProperties( rom, &details, kCFAllocatorDefault, kNilOptions); IOObjectRelease(rom); // Success is determined by the details dictionary existence. if (details == nullptr) { return {}; } Row r; r["vendor"] = getIOKitProperty(details, "vendor"); r["volume_size"] = getIOKitProperty(details, "fv-main-size"); r["size"] = getIOKitProperty(details, "rom-size"); r["date"] = getIOKitProperty(details, "release-date"); r["version"] = getIOKitProperty(details, "version"); { auto address = getIOKitProperty(details, "fv-main-address"); auto value = boost::lexical_cast<size_t>(address); std::stringstream hex_id; hex_id << std::hex << std::setw(8) << std::setfill('0') << value; r["address"] = "0x" + hex_id.str(); } { std::vector<std::string> extra_items; auto info = getIOKitProperty(details, "apple-rom-info"); std::vector<std::string> info_lines; iter_split(info_lines, info, boost::algorithm::first_finder("%0a")); for (const auto& line : info_lines) { std::vector<std::string> details; iter_split(details, line, boost::algorithm::first_finder(": ")); if (details.size() > 1) { boost::trim(details[1]); if (details[0].find("Revision") != std::string::npos) { r["revision"] = details[1]; } extra_items.push_back(details[1]); } } r["extra"] = osquery::join(extra_items, "; "); } CFRelease(details); return {r}; }
void genFDEStatusForBSDName(const std::string& bsd_name, const std::string& uuid, QueryData& results) { auto matching_dict = IOBSDNameMatching(kIOMasterPortDefault, kNilOptions, bsd_name.c_str()); if (matching_dict == nullptr) { return; } auto service = IOServiceGetMatchingService(kIOMasterPortDefault, matching_dict); if (!service) { return; } CFMutableDictionaryRef properties; if (IORegistryEntryCreateCFProperties( service, &properties, kCFAllocatorDefault, kNilOptions) != KERN_SUCCESS) { IOObjectRelease(service); return; } Row r; r["name"] = kDeviceNamePrefix + bsd_name; r["uuid"] = uuid; auto encrypted = getIOKitProperty(properties, kCoreStorageIsEncryptedKey_); if (encrypted.empty()) { r["encrypted"] = "0"; } else { r["encrypted"] = encrypted; id_t uid; uuid_string_t uuid_string = {0}; if (genUid(uid, uuid_string).ok()) { r["uid"] = BIGINT(uid); r["user_uuid"] = TEXT(uuid_string); } } r["type"] = (r.at("encrypted") == "1") ? kEncryptionType : std::string(); results.push_back(r); CFRelease(properties); IOObjectRelease(service); }
void IOKitEventPublisher::newEvent(const io_service_t& device, IOKitEventContext::Action action) { auto ec = createEventContext(); ec->action = action; { // The IORegistry name is not needed. io_name_t class_name = {0}; if (IOObjectGetClass(device, class_name) != kIOReturnSuccess) { return; } ec->type = std::string(class_name); } // Get the device details CFMutableDictionaryRef details; IORegistryEntryCreateCFProperties( device, &details, kCFAllocatorDefault, kNilOptions); if (ec->type == kIOUSBDeviceClassName_) { ec->path = getIOKitProperty(details, "USB Address") + ":"; ec->path += getIOKitProperty(details, "PortNum"); ec->model = getIOKitProperty(details, "USB Product Name"); ec->model_id = getIOKitProperty(details, "idProduct"); ec->vendor = getIOKitProperty(details, "USB Vendor Name"); ec->vendor_id = getIOKitProperty(details, "idVendor"); idToHex(ec->vendor_id); idToHex(ec->model_id); ec->serial = getIOKitProperty(details, "USB Serial Number"); if (ec->serial.size() == 0) { ec->serial = getIOKitProperty(details, "iSerialNumber"); } ec->version = ""; ec->driver = getIOKitProperty(details, "IOUserClientClass"); } else if (ec->type == kIOPCIDeviceClassName_) { auto compatible = getIOKitProperty(details, "compatible"); auto properties = IOKitPCIProperties(compatible); ec->model_id = properties.model_id; ec->vendor_id = properties.vendor_id; ec->driver = properties.driver; if (ec->driver.empty()) { ec->driver = getIOKitProperty(details, "IOName"); } ec->path = getIOKitProperty(details, "pcidebug"); ec->version = getIOKitProperty(details, "revision-id"); ec->model = getIOKitProperty(details, "model"); } else { // Get the name as the model. io_name_t name = {0}; IORegistryEntryGetName(device, name); if (name[0] != 0) { ec->model = std::string(name); } } CFRelease(details); fire(ec); }
void genIOMediaDevice(const io_service_t& device, std::vector<std::string>& whole_devices, QueryData& results) { Row r; // Get the device properties CFMutableDictionaryRef properties; IORegistryEntryCreateCFProperties( device, &properties, kCFAllocatorDefault, kNilOptions); r["uuid"] = getIOKitProperty(properties, "UUID"); r["name"] = "/dev/" + getIOKitProperty(properties, "BSD Name"); r["size"] = getIOKitProperty(properties, "Size"); auto type = getIOKitProperty(properties, "Whole"); if (type == "1") { // The "Whole" property applies to the entire disk entry, not partitions. whole_devices.push_back(r["name"]); } else { // Otherwise search the list of whole disks to find the node parent. for (const auto& parent : whole_devices) { if (r.at("name").find(parent) == 0) { r["parent"] = parent; } } } // This is the IOKit name, which is the device's label. io_name_t name; auto kr = IORegistryEntryGetName(device, name); if (kr == KERN_SUCCESS && (char*)name != nullptr) { r["label"] = std::string(name); } // Remaining details come from the Disk Arbitration service. DASessionRef session = DASessionCreate(kCFAllocatorDefault); CFDictionaryRef details; if (session != nullptr) { auto disk = DADiskCreateFromIOMedia(kCFAllocatorDefault, session, device); if (disk != nullptr) { details = DADiskCopyDescription(disk); if (details != nullptr) { r["vendor"] = getIOKitProperty((CFMutableDictionaryRef)details, "DADeviceVendor"); r["model"] = getIOKitProperty((CFMutableDictionaryRef)details, "DADeviceModel"); r["type"] = getIOKitProperty((CFMutableDictionaryRef)details, "DADeviceProtocol"); CFRelease(details); } CFRelease(disk); } CFRelease(session); } results.push_back(r); CFRelease(properties); }