osquery · muffins · Jan 24, 2020 · Feb 8, 2019 · Feb 8, 2019 · Feb 8, 2019
@@ -254,6 +254,7 @@ osquery_cxx_library(
                 "windows/disk_info.cpp",
                 "windows/drivers.cpp",
                 "windows/groups.cpp",
+                "windows/hvci_status.cpp",
                 "windows/ie_extensions.cpp",
                 "windows/intel_me.cpp",
                 "windows/kernel_info.cpp",

@@ -0,0 +1,59 @@
+#include <algorithm>
+#include <osquery/logger.h>
+#include <osquery/sql.h>
+#include <osquery/system.h>
+#include <osquery/tables.h>
+
+#include "osquery/core/windows/wmi.h"
+#include <osquery/utils/conversions/tryto.h>
+
+namespace osquery {
+namespace tables {
+
+QueryData genHVCIStatus(QueryContext& context) {
+  QueryData results;
+
+  std::vector<std::string> vbs_methods = {"VBS_NOT_ENABLED",
+                                          "VBS_ENABLED_AND_NOT_RUNNING",
+                                          "VBS_ENABLED_AND_RUNNING"};
+
+  std::vector<std::string> enforcement_methods = {
+      "OFF", "AUDIT_MODE", "ENFORCED_MODE"};
+
+  const WmiRequest wmiSystemReq("SELECT * FROM Win32_DeviceGuard",
+                                (BSTR)L"ROOT\\MICROSOFT\\WINDOWS\\DEVICEGUARD");
+  const std::vector<WmiResultItem>& wmiResults = wmiSystemReq.results();
+  if (wmiResults.empty()) {
+    LOG(ERROR) << "Error retreiving information from WMI.";
+    return results;
+  }
+  for (const auto& data : wmiResults) {
+    Row r;
+    data.GetString("Version", r["version"]);
+    data.GetString("InstanceIdentifier", r["instance_identifier"]);
+
+    long vbs_status;
+    data.GetLong("VirtualizationBasedSecurityStatus", vbs_status);
+    r["vbs_status"] =
+        vbs_methods.size() < vbs_status ? vbs_methods[vbs_status] : "UNKNOWN";
+
+    long code_policy_status;
+    data.GetLong("CodeIntegrityPolicyEnforcementStatus", code_policy_status);
+    r["code_integrity_policy_enforcement_status"] =
+        enforcement_methods.size() < code_policy_status
+            ? enforcement_methods[vbs_status]
+            : "UNKNOWN";
+
+    long umci_status;
+    data.GetLong("UsermodeCodeIntegrityPolicyEnforcementStatus", umci_status);
+    r["umci_policy_status"] = enforcement_methods.size() < umci_status
+                                  ? enforcement_methods[umci_status]
+                                  : "UNKNOWN";
+
+    results.push_back(r);
+  }
+  return results;
+}
+} // namespace tables
+} // namespace osquery
+// namespace osquery
@@ -744,6 +744,10 @@ osquery_gentable_cxx_library(
             "windows/authenticode.table",
             "windows",
         ),
+        (
+            "windows/hvci_status.table",
+            "windows",
+        ),        
         (
             "windows/pipes.table",
             "windows",

@@ -0,0 +1,10 @@
+table_name("hvci_status")
+description("Retrieve HVCI info of the machine.")
+schema([
+  Column("version", TEXT, "The version number of the Device Guard build."),
+  Column("instance_identifier", TEXT, "The instance ID of Device Guard."),
+  Column("vbs_status", TEXT, "The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered."),
+  Column("code_integrity_policy_enforcement_status", TEXT, "The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered."),
+  Column("umci_policy_status", TEXT, "The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered."), 
+])
+implementation("system/windows/hvci_status@genHVCIStatus")
@@ -0,0 +1,40 @@
+/**
+ *  Copyright (c) 2014-present, Facebook, Inc.
+ *  All rights reserved.
+ *
+ *  This source code is licensed as defined on the LICENSE file found in the
+ *  root directory of this source tree.
+ */
+
+// Integration test for hvci_status
+// Spec file: specs/windows/hvci_status.table
+
+#include <osquery/tests/integration/tables/helper.h>
+
+namespace osquery {
+namespace table_tests {
+
+class HVCIStatus : public testing::Test {
+ protected:
+  void SetUp() override {
+    setUpEnvironment();
+  }
+};
+
+TEST_F(HVCIStatus, test_sanity) {
+  QueryData data = execute_query("select * from hvci_status");
+
+  ASSERT_GE(data.size(), 1ul);
+
+  ValidatatioMap row_map = {
+      {"version", NonEmptyString},
+      {"instance_identifier", NormalType},
+      {"vbs_status", NonEmptyString},
+      {"code_integrity_policy_enforcement_status", NonEmptyString},
+      {"umci_policy_status", NonEmptyString},
+  };
+  validate_rows(data, row_map);
+}
+
+} // namespace table_tests
+} // namespace osquery