Exemplo n.º 1
0
void genInterfaceDetail(const WmiResultItem& adapter, QueryData& results) {
  Row r;
  long lPlaceHolder;
  bool bPlaceHolder;
  std::vector<std::string> vPlaceHolder;
  unsigned __int64 ulPlaceHolder;

  r["interface"] = INTEGER(lPlaceHolder);
  adapter.GetString("MACAddress", r["mac"]);
  adapter.GetString("AdapterType", r["type"]);

  adapter.GetString("Description", r["description"]);
  adapter.GetLong("InterfaceIndex", lPlaceHolder);
  adapter.GetString("Manufacturer", r["manufacturer"]);
  adapter.GetString("NetConnectionID", r["connection_id"]);
  adapter.GetLong("NetConnectionStatus", lPlaceHolder);
  r["connection_status"] = INTEGER(lPlaceHolder);
  adapter.GetBool("NetEnabled", bPlaceHolder);
  r["enabled"] = INTEGER(bPlaceHolder);
  adapter.GetBool("PhysicalAdapter", bPlaceHolder);
  r["physical_adapter"] = INTEGER(bPlaceHolder);
  adapter.GetUnsignedLongLong("Speed", ulPlaceHolder);
  r["speed"] = INTEGER(ulPlaceHolder);

  std::string query =
      "SELECT * FROM win32_networkadapterconfiguration WHERE "
      "InterfaceIndex = " +
      r["interface"];

  WmiRequest irequest(query);
  if (irequest.getStatus().ok()) {
    auto& iresults = irequest.results();
    iresults[0].GetLong("MTU", lPlaceHolder);
    r["mtu"] = INTEGER(lPlaceHolder);

    iresults[0].GetBool("DHCPEnabled", bPlaceHolder);
    r["dhcp_enabled"] = INTEGER(bPlaceHolder);
    iresults[0].GetString("DHCPLeaseExpires", r["dhcp_lease_expires"]);
    iresults[0].GetString("DHCPLeaseObtained", r["dhcp_lease_obtained"]);
    iresults[0].GetString("DHCPServer", r["dhcp_server"]);
    iresults[0].GetString("DNSDomain", r["dns_domain"]);
    iresults[0].GetVectorOfStrings("DNSDomainSuffixSearchOrder", vPlaceHolder);
    r["dns_domain_suffix_search_order"] =
        SQL_TEXT(boost::algorithm::join(vPlaceHolder, ", "));
    iresults[0].GetString("DNSHostName", r["dns_host_name"]);
    iresults[0].GetVectorOfStrings("DNSServerSearchOrder", vPlaceHolder);
    r["dns_server_search_order"] =
        SQL_TEXT(boost::algorithm::join(vPlaceHolder, ", "));
  }
  results.push_back(r);
}
Exemplo n.º 2
0
Row getHPBiosInfo(WmiResultItem& item) {
  Row r;

  std::string value;
  boost::smatch matches;
  item.GetString("Name", r["name"]);
  item.GetString("Value", value);

  if (boost::regex_search(value, matches, kHPBiosSettingRegex)) {
    r["value"] = std::string(matches[1]);
  } else {
    r["value"] = value;
  }

  return r;
}
Exemplo n.º 3
0
Row getDellBiosInfo(WmiResultItem& item) {
  Row r;

  std::vector<std::string> vCurrentValue;
  std::vector<std::string> vPossibleValues;
  std::vector<std::string> vPossibleValuesDescription;
  item.GetString("AttributeName", r["name"]);
  item.GetVectorOfStrings("CurrentValue", vCurrentValue);
  item.GetVectorOfStrings("PossibleValues", vPossibleValues);
  item.GetVectorOfStrings("PossibleValuesDescription",
                          vPossibleValuesDescription);

  if (vCurrentValue.size() == 1 && !vPossibleValues.empty()) {
    auto pos = std::find(
        vPossibleValues.begin(), vPossibleValues.end(), vCurrentValue[0]);
    if (pos != vPossibleValues.end()) {
      r["value"] = vPossibleValuesDescription[pos - vPossibleValues.begin()];
    } else {
      r["value"] = "N/A";
    }

  } else if (vCurrentValue.size() > 1) {
    std::ostringstream oValueConcat;
    std::copy(vCurrentValue.begin(),
              vCurrentValue.end() - 1,
              std::ostream_iterator<std::string>(oValueConcat, ","));
    oValueConcat << vCurrentValue.back();

    r["value"] = oValueConcat.str();

  } else {
    r["value"] = "N/A";
  }

  return r;
}
Exemplo n.º 4
0
Row getLenovoBiosInfo(WmiResultItem& item) {
  Row r;

  std::string currentSetting;
  std::vector<std::string> settings;
  item.GetString("CurrentSetting", currentSetting);
  settings = osquery::split(currentSetting, ",");

  if (settings.size() != 2) {
    return r;
  }
  r["name"] = settings[0];
  r["value"] = settings[1];

  return r;
}
Exemplo n.º 5
0
void genProcess(const WmiResultItem& result, QueryData& results_data) {
  Row r;
  Status s;
  long pid;
  long lPlaceHolder;
  std::string sPlaceHolder;

  /// Store current process pid for more efficient API use.
  auto currentPid = GetCurrentProcessId();

  s = result.GetLong("ProcessId", pid);
  r["pid"] = s.ok() ? BIGINT(pid) : BIGINT(-1);

  long uid = -1;
  long gid = -1;
  HANDLE hProcess = nullptr;
  if (pid == currentPid) {
    hProcess = GetCurrentProcess();
  } else {
    hProcess =
        OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, pid);
  }

  if (GetLastError() == ERROR_ACCESS_DENIED) {
    uid = 0;
    gid = 0;
  }

  result.GetString("Name", r["name"]);
  result.GetString("ExecutablePath", r["path"]);
  result.GetString("CommandLine", r["cmdline"]);
  result.GetString("ExecutionState", r["state"]);
  result.GetLong("ParentProcessId", lPlaceHolder);
  r["parent"] = BIGINT(lPlaceHolder);
  result.GetLong("Priority", lPlaceHolder);
  r["nice"] = INTEGER(lPlaceHolder);
  r["on_disk"] = osquery::pathExists(r["path"]).toString();
  result.GetLong("ThreadCount", lPlaceHolder);
  r["threads"] = INTEGER(lPlaceHolder);

  std::vector<char> fileName(MAX_PATH);
  fileName.assign(MAX_PATH + 1, '\0');
  if (pid == currentPid) {
    GetModuleFileName(nullptr, fileName.data(), MAX_PATH);
  } else {
    GetModuleFileNameEx(hProcess, nullptr, fileName.data(), MAX_PATH);
  }
  r["cwd"] = SQL_TEXT(fileName.data());
  r["root"] = r["cwd"];

  r["pgroup"] = "-1";
  r["euid"] = "-1";
  r["suid"] = "-1";
  r["egid"] = "-1";
  r["sgid"] = "-1";

  FILETIME createTime;
  FILETIME exitTime;
  FILETIME kernelTime;
  FILETIME userTime;
  auto procRet =
      GetProcessTimes(hProcess, &createTime, &exitTime, &kernelTime, &userTime);
  if (procRet == FALSE) {
    r["user_time"] = BIGINT(-1);
    r["system_time"] = BIGINT(-1);
    r["start_time"] = BIGINT(-1);
  } else {
    // Windows stores proc times in 100 nanosecond ticks
    ULARGE_INTEGER utime;
    utime.HighPart = userTime.dwHighDateTime;
    utime.LowPart = userTime.dwLowDateTime;
    r["user_time"] = BIGINT(utime.QuadPart / 10000000);
    utime.HighPart = kernelTime.dwHighDateTime;
    utime.LowPart = kernelTime.dwLowDateTime;
    r["system_time"] = BIGINT(utime.QuadPart / 10000000);
    r["start_time"] = BIGINT(osquery::filetimeToUnixtime(createTime));
  }

  result.GetString("PrivatePageCount", sPlaceHolder);
  r["wired_size"] = BIGINT(sPlaceHolder);
  result.GetString("WorkingSetSize", sPlaceHolder);
  r["resident_size"] = sPlaceHolder;
  result.GetString("VirtualSize", sPlaceHolder);
  r["total_size"] = BIGINT(sPlaceHolder);

  /// Get the process UID and GID from its SID
  HANDLE tok = nullptr;
  std::vector<char> tokOwner(sizeof(TOKEN_OWNER), 0x0);
  auto ret = OpenProcessToken(hProcess, TOKEN_READ, &tok);
  if (ret != 0 && tok != nullptr) {
    unsigned long tokOwnerBuffLen;
    ret = GetTokenInformation(tok, TokenUser, nullptr, 0, &tokOwnerBuffLen);
    if (ret == 0 && GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
      tokOwner.resize(tokOwnerBuffLen);
      ret = GetTokenInformation(
          tok, TokenUser, tokOwner.data(), tokOwnerBuffLen, &tokOwnerBuffLen);
    }

    // Check if the process is using an elevated token
    auto elevated = FALSE;
    TOKEN_ELEVATION Elevation;
    DWORD cbSize = sizeof(TOKEN_ELEVATION);
    if (GetTokenInformation(
            tok, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
      elevated = Elevation.TokenIsElevated;
    }

    r["is_elevated_token"] = elevated ? INTEGER(1) : INTEGER(0);
  }
  if (uid != 0 && ret != 0 && !tokOwner.empty()) {
    auto sid = PTOKEN_OWNER(tokOwner.data())->Owner;
    r["uid"] = INTEGER(getUidFromSid(sid));
    r["gid"] = INTEGER(getGidFromSid(sid));
  } else {
    r["uid"] = INTEGER(uid);
    r["gid"] = INTEGER(gid);
  }

  if (hProcess != nullptr) {
    CloseHandle(hProcess);
  }
  if (tok != nullptr) {
    CloseHandle(tok);
    tok = nullptr;
  }
  results_data.push_back(r);
}