Added a docs site (Velocidex#2)

More work in advance of publishing
predictiple · Apr 5, 2024 · 4a9109a · 4a9109a
1 parent 35a545d
commit 4a9109a
Show file tree

Hide file tree

Showing 36 changed files with 960 additions and 290 deletions.
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -0,0 +1,43 @@
+name: github pages
+
+on:
+  push:
+    branches:
+      - master  # Set a branch to deploy
+  pull_request:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true  # Fetch Hugo themes (true OR recursive)
+          fetch-depth: 0    # Fetch all history for .GitInfo and .Lastmod
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '^1.20'
+
+      - run: go version
+
+      - name: Setup Hugo
+        uses: peaceiris/actions-hugo@v2
+        with:
+          hugo-version: 'latest'
+          extended: true
+
+      - name: Prepare
+        run: |
+          make all recmd artifact
+          cp output/*.zip docs/static/
+
+      - name: Build
+        run: cd docs/ && hugo --minify
+
+      - name: Deploy
+        uses: peaceiris/actions-gh-pages@v3
+        if: github.ref == 'refs/heads/master'
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./docs/public
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,34 @@
+name: Test generated artifacts
+
+on: [pull_request]
+
+jobs:
+  build:
+    name: Registry Hunter Test
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: '^1.20'
+      id: go
+
+    - name: Check out code
+      uses: actions/checkout@v3
+      with:
+        submodules: recursive
+
+    - name: Build artifacts
+      run: |
+        make all recmd artifact
+
+    - name: Run tests
+      run: |
+        make test
+
+    - uses: actions/upload-artifact@v3
+      if: always()
+      with:
+        name: output
+        path: output
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
-reghunter
+reghunter
+output/
diff --git a/Makefile b/Makefile
@@ -7,3 +7,7 @@ recmd:
 
 artifact:
 	./reghunter compile --output output/Windows.Registry.Hunter.yaml Rules/*.yaml
+	./reghunter compile --make_zip --output output/Windows.Registry.Hunter.zip Rules/*.yaml
+
+test:
+	cd tests && make test
diff --git a/RECmd_Batch/BatchExampleWildCard.reb b/RECmd_Batch/BatchExampleWildCard.reb
@@ -1,6 +1,7 @@
 Description: test example
 Author: Eric Zimmerman
 Version: 1
+Disabled: true
 Id: ab13eb5f-32db-3cdc-33df-88ec84dc7a
 Keys:
     -

diff --git a/RECmd_Batch/BinaryIncludeDemo.reb b/RECmd_Batch/BinaryIncludeDemo.reb
@@ -1,6 +1,7 @@
 Description: BinaryInclude demo
 Author: Eric Zimmerman
 Version: 1
+Disabled: true
 Id: 1e144fa4-70ca-478f-b0b9-a148e4ba1b90
 Keys:
     -
@@ -10,6 +11,7 @@ Keys:
         KeyPath: ControlSet001\Control\NetworkSetup2\Interfaces\*\Kernel
         ValueName: CurrentAddress
         IncludeBinary: true
+        # Not actually correct - this is a MAC address
         BinaryConvert: IP
 
 # IncludeBinary: true

diff --git a/RECmd_Batch/Kroll_Batch.reb b/RECmd_Batch/Kroll_Batch.reb
@@ -48,6 +48,12 @@ Preamble:
        then=timestamp(winfiletime=parse_binary(accessor="data", filename=t, struct="uint64") || 0),
        else=timestamp(winfiletime=t || 0))
 
+  - |
+    -- Map from binary integer to a winfiletime - handle both binary encoding and integers
+    LET IP(t) = if(condition=format(format="%T", args=[t,]) =~ "\\[\\]uint8",
+       then=ip(netaddr4_le=parse_binary(accessor="data", filename=t, struct="uint32be") || 0),
+       else=ip(netaddr4_le=t || 0))
+
   - |
     LET GetRawValue(OSPath) = stat(filename=OSPath, accessor="raw_registry").Data.value
 

diff --git a/Rules/RECmdBatch.yaml b/Rules/RECmdBatch.yaml
@@ -62,6 +62,11 @@ Preamble:
   LET FILETIME(t) = if(condition=format(format="%T", args=[t,]) =~ "\\[\\]uint8",
      then=timestamp(winfiletime=parse_binary(accessor="data", filename=t, struct="uint64") || 0),
      else=timestamp(winfiletime=t || 0))
+- |
+  -- Map from binary integer to a winfiletime - handle both binary encoding and integers
+  LET IP(t) = if(condition=format(format="%T", args=[t,]) =~ "\\[\\]uint8",
+     then=ip(netaddr4_le=parse_binary(accessor="data", filename=t, struct="uint32be") || 0),
+     else=ip(netaddr4_le=t || 0))
 - |
   LET GetRawValue(OSPath) = stat(filename=OSPath, accessor="raw_registry").Data.value
 Rules:
@@ -778,18 +783,6 @@ Rules:
   Comment: user assist
   Glob: '*\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\**'
   Root: HKEY_USERS
-- Author: Eric Zimmerman
-  Description: WildCardTest
-  Category: WildCardTest
-  Comment: WildCardTest
-  Glob: ControlSet*\Services\\**
-  Root: HKEY_LOCAL_MACHINE\System
-- Author: Eric Zimmerman
-  Description: demo
-  Category: System Info
-  Glob: ControlSet001\Control\NetworkSetup2\Interfaces\*\Kernel\CurrentAddress
-  Root: HKEY_LOCAL_MACHINE\System
-  Details: x=>ip(netaddr4_le=x.Data)
 - Author: Troy Larson
   Description: User Products InstallProperties
   Category: Installed Software

diff --git a/Rules/Velociraptor-Rules.yaml b/Rules/Velociraptor-Rules.yaml
@@ -11,7 +11,7 @@ Rules:
 - Description: Interface Properties
   Category: System Info
   Glob: CurrentControl*\Services\Tcpip\Parameters\Interfaces\*
-  Root: HKEY_LOCAL_MACHINE\SYSTEM
+  Root: HKEY_LOCAL_MACHINE\System
   Details: |
     x=>FetchKeyValues(OSPath=x.OSPath) + dict(
        LeaseObtainedTime=timestamp(epoch=GetValue(OSPath=x.OSPath + "LeaseObtainedTime")),

diff --git a/bin/compile.go b/bin/compile.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"archive/zip"
 	"os"
 
 	"github.com/Velocidex/registry_hunter/compiler"
@@ -14,32 +15,74 @@ var (
 
 	output_artifact = compile_cmd.Flag("output", "Where to write the final artifact").
 			Required().String()
+
+	output_make_zip = compile_cmd.Flag("make_zip", "Produce a ZIP file we can use to hunt").
+			Bool()
 )
 
-func doCompile() error {
-	rules_compiler := compiler.NewCompiler()
+func makeZip(rules_compiler *compiler.Compiler) error {
+	out_fd, err := os.OpenFile(*output_artifact,
+		os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer out_fd.Close()
+
+	w := zip.NewWriter(out_fd)
+	defer w.Close()
+
+	artifact, err := rules_compiler.Compile()
+	if err != nil {
+		return err
+	}
 
+	f, err := w.Create("Windows.Registry.Hunter.yaml")
+	_, err = f.Write([]byte(artifact))
+	if err != nil {
+		return err
+	}
+
+	f, err = w.Create("rules.yml")
+	_, err = f.Write([]byte(rules_compiler.GetRules()))
+	if err != nil {
+		return err
+	}
+
+	return err
+}
+
+func makeFile(rules_compiler *compiler.Compiler) error {
 	out_fd, err := os.OpenFile(*output_artifact,
 		os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return err
 	}
 	defer out_fd.Close()
 
+	artifact, err := rules_compiler.Compile()
+	if err != nil {
+		return err
+	}
+
+	_, err = out_fd.Write([]byte(artifact))
+	return err
+}
+
+func doCompile() error {
+	rules_compiler := compiler.NewCompiler()
+
 	for _, filename := range *compile_yaml {
 		err := rules_compiler.LoadRules(filename)
 		if err != nil {
 			return err
 		}
 	}
 
-	artifact, err := rules_compiler.Compile()
-	if err != nil {
-		return err
+	if *output_make_zip {
+		return makeZip(rules_compiler)
 	}
 
-	_, err = out_fd.Write([]byte(artifact))
-	return err
+	return makeFile(rules_compiler)
 }
 
 func init() {