void genInterfaceDetail(const WmiResultItem& adapter, QueryData& results) {
Row r;
long lPlaceHolder;
bool bPlaceHolder;
std::vector<std::string> vPlaceHolder;
unsigned __int64 ulPlaceHolder;
r["interface"] = INTEGER(lPlaceHolder);
adapter.GetString("MACAddress", r["mac"]);
adapter.GetString("AdapterType", r["type"]);
adapter.GetString("Description", r["description"]);
adapter.GetLong("InterfaceIndex", lPlaceHolder);
adapter.GetString("Manufacturer", r["manufacturer"]);
adapter.GetString("NetConnectionID", r["connection_id"]);
adapter.GetLong("NetConnectionStatus", lPlaceHolder);
r["connection_status"] = INTEGER(lPlaceHolder);
adapter.GetBool("NetEnabled", bPlaceHolder);
r["enabled"] = INTEGER(bPlaceHolder);
adapter.GetBool("PhysicalAdapter", bPlaceHolder);
r["physical_adapter"] = INTEGER(bPlaceHolder);
adapter.GetUnsignedLongLong("Speed", ulPlaceHolder);
r["speed"] = INTEGER(ulPlaceHolder);
std::string query =
"SELECT * FROM win32_networkadapterconfiguration WHERE "
"InterfaceIndex = " +
r["interface"];
WmiRequest irequest(query);
if (irequest.getStatus().ok()) {
auto& iresults = irequest.results();
iresults[0].GetLong("MTU", lPlaceHolder);
r["mtu"] = INTEGER(lPlaceHolder);
iresults[0].GetBool("DHCPEnabled", bPlaceHolder);
r["dhcp_enabled"] = INTEGER(bPlaceHolder);
iresults[0].GetString("DHCPLeaseExpires", r["dhcp_lease_expires"]);
iresults[0].GetString("DHCPLeaseObtained", r["dhcp_lease_obtained"]);
iresults[0].GetString("DHCPServer", r["dhcp_server"]);
iresults[0].GetString("DNSDomain", r["dns_domain"]);
iresults[0].GetVectorOfStrings("DNSDomainSuffixSearchOrder", vPlaceHolder);
r["dns_domain_suffix_search_order"] =
SQL_TEXT(boost::algorithm::join(vPlaceHolder, ", "));
iresults[0].GetString("DNSHostName", r["dns_host_name"]);
iresults[0].GetVectorOfStrings("DNSServerSearchOrder", vPlaceHolder);
r["dns_server_search_order"] =
SQL_TEXT(boost::algorithm::join(vPlaceHolder, ", "));
}
results.push_back(r);
}
Row getHPBiosInfo(WmiResultItem& item) {
Row r;
std::string value;
boost::smatch matches;
item.GetString("Name", r["name"]);
item.GetString("Value", value);
if (boost::regex_search(value, matches, kHPBiosSettingRegex)) {
r["value"] = std::string(matches[1]);
} else {
r["value"] = value;
}
return r;
}
Row getLenovoBiosInfo(WmiResultItem& item) {
Row r;
std::string currentSetting;
std::vector<std::string> settings;
item.GetString("CurrentSetting", currentSetting);
settings = osquery::split(currentSetting, ",");
if (settings.size() != 2) {
return r;
}
r["name"] = settings[0];
r["value"] = settings[1];
return r;
}
Row getDellBiosInfo(WmiResultItem& item) {
Row r;
std::vector<std::string> vCurrentValue;
std::vector<std::string> vPossibleValues;
std::vector<std::string> vPossibleValuesDescription;
item.GetString("AttributeName", r["name"]);
item.GetVectorOfStrings("CurrentValue", vCurrentValue);
item.GetVectorOfStrings("PossibleValues", vPossibleValues);
item.GetVectorOfStrings("PossibleValuesDescription",
vPossibleValuesDescription);
if (vCurrentValue.size() == 1 && !vPossibleValues.empty()) {
auto pos = std::find(
vPossibleValues.begin(), vPossibleValues.end(), vCurrentValue[0]);
if (pos != vPossibleValues.end()) {
r["value"] = vPossibleValuesDescription[pos - vPossibleValues.begin()];
} else {
r["value"] = "N/A";
}
} else if (vCurrentValue.size() > 1) {
std::ostringstream oValueConcat;
std::copy(vCurrentValue.begin(),
vCurrentValue.end() - 1,
std::ostream_iterator<std::string>(oValueConcat, ","));
oValueConcat << vCurrentValue.back();
r["value"] = oValueConcat.str();
} else {
r["value"] = "N/A";
}
return r;
}
void genProcess(const WmiResultItem& result, QueryData& results_data) {
Row r;
Status s;
long pid;
long lPlaceHolder;
std::string sPlaceHolder;
/// Store current process pid for more efficient API use.
auto currentPid = GetCurrentProcessId();
s = result.GetLong("ProcessId", pid);
r["pid"] = s.ok() ? BIGINT(pid) : BIGINT(-1);
long uid = -1;
long gid = -1;
HANDLE hProcess = nullptr;
if (pid == currentPid) {
hProcess = GetCurrentProcess();
} else {
hProcess =
OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, pid);
}
if (GetLastError() == ERROR_ACCESS_DENIED) {
uid = 0;
gid = 0;
}
result.GetString("Name", r["name"]);
result.GetString("ExecutablePath", r["path"]);
result.GetString("CommandLine", r["cmdline"]);
result.GetString("ExecutionState", r["state"]);
result.GetLong("ParentProcessId", lPlaceHolder);
r["parent"] = BIGINT(lPlaceHolder);
result.GetLong("Priority", lPlaceHolder);
r["nice"] = INTEGER(lPlaceHolder);
r["on_disk"] = osquery::pathExists(r["path"]).toString();
result.GetLong("ThreadCount", lPlaceHolder);
r["threads"] = INTEGER(lPlaceHolder);
std::vector<char> fileName(MAX_PATH);
fileName.assign(MAX_PATH + 1, '\0');
if (pid == currentPid) {
GetModuleFileName(nullptr, fileName.data(), MAX_PATH);
} else {
GetModuleFileNameEx(hProcess, nullptr, fileName.data(), MAX_PATH);
}
r["cwd"] = SQL_TEXT(fileName.data());
r["root"] = r["cwd"];
r["pgroup"] = "-1";
r["euid"] = "-1";
r["suid"] = "-1";
r["egid"] = "-1";
r["sgid"] = "-1";
FILETIME createTime;
FILETIME exitTime;
FILETIME kernelTime;
FILETIME userTime;
auto procRet =
GetProcessTimes(hProcess, &createTime, &exitTime, &kernelTime, &userTime);
if (procRet == FALSE) {
r["user_time"] = BIGINT(-1);
r["system_time"] = BIGINT(-1);
r["start_time"] = BIGINT(-1);
} else {
// Windows stores proc times in 100 nanosecond ticks
ULARGE_INTEGER utime;
utime.HighPart = userTime.dwHighDateTime;
utime.LowPart = userTime.dwLowDateTime;
r["user_time"] = BIGINT(utime.QuadPart / 10000000);
utime.HighPart = kernelTime.dwHighDateTime;
utime.LowPart = kernelTime.dwLowDateTime;
r["system_time"] = BIGINT(utime.QuadPart / 10000000);
r["start_time"] = BIGINT(osquery::filetimeToUnixtime(createTime));
}
result.GetString("PrivatePageCount", sPlaceHolder);
r["wired_size"] = BIGINT(sPlaceHolder);
result.GetString("WorkingSetSize", sPlaceHolder);
r["resident_size"] = sPlaceHolder;
result.GetString("VirtualSize", sPlaceHolder);
r["total_size"] = BIGINT(sPlaceHolder);
/// Get the process UID and GID from its SID
HANDLE tok = nullptr;
std::vector<char> tokOwner(sizeof(TOKEN_OWNER), 0x0);
auto ret = OpenProcessToken(hProcess, TOKEN_READ, &tok);
if (ret != 0 && tok != nullptr) {
unsigned long tokOwnerBuffLen;
ret = GetTokenInformation(tok, TokenUser, nullptr, 0, &tokOwnerBuffLen);
if (ret == 0 && GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
tokOwner.resize(tokOwnerBuffLen);
ret = GetTokenInformation(
tok, TokenUser, tokOwner.data(), tokOwnerBuffLen, &tokOwnerBuffLen);
}
// Check if the process is using an elevated token
auto elevated = FALSE;
TOKEN_ELEVATION Elevation;
DWORD cbSize = sizeof(TOKEN_ELEVATION);
if (GetTokenInformation(
tok, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
elevated = Elevation.TokenIsElevated;
}
r["is_elevated_token"] = elevated ? INTEGER(1) : INTEGER(0);
}
if (uid != 0 && ret != 0 && !tokOwner.empty()) {
auto sid = PTOKEN_OWNER(tokOwner.data())->Owner;
r["uid"] = INTEGER(getUidFromSid(sid));
r["gid"] = INTEGER(getGidFromSid(sid));
} else {
r["uid"] = INTEGER(uid);
r["gid"] = INTEGER(gid);
}
if (hProcess != nullptr) {
CloseHandle(hProcess);
}
if (tok != nullptr) {
CloseHandle(tok);
tok = nullptr;
}
results_data.push_back(r);
}