Rewrite pslist for windows.

Velocidex · Nov 8, 2018 · 90a30cd · 90a30cd
1 parent 6bebfd7
commit 90a30cd
Show file tree

Hide file tree

Showing 44 changed files with 1,592 additions and 1,189 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Makefile b/Makefile
@@ -37,14 +37,15 @@ build: required_assets
             -ldflags "$(LDFLAGS)" \
 	    -o output/velociraptor ./bin/
 
-windows: required_assets
+windows: required_assets gui_assets
 ifeq ("$(MINGW_EXISTS)", "")
 	@echo Disabling cgo modules. To enable install $(MINGW_CC)
 endif
 	GOOS=windows GOARCH=amd64 \
         CC=$(CC) CGO_ENABLED=$(CGO_ENABLED) \
             go build \
             -ldflags "$(LDFLAGS)" \
+            -tags release \
 	    -o output/velociraptor.exe ./bin/
 
 # Build using xgo for all supported platforms.

diff --git a/README.md b/README.md
@@ -59,14 +59,14 @@ To learn more about Velociraptor, read about it on our blog:
 
 NOTE: You may omit the --config flag in the following cases:
 
- * If the VELOCIRAPTOR_CONFIG environment variable exists, Velociraptor 
+ * If the VELOCIRAPTOR_CONFIG environment variable exists, Velociraptor
    will read its configuration from there.
- * If you embed the configuration into the binary (using velociraptor 
-   config repack as below), Velociraptor will magically know its own 
-   configuration without reading it from a file at all. 
+ * If you embed the configuration into the binary (using velociraptor
+   config repack as below), Velociraptor will magically know its own
+   configuration without reading it from a file at all.
 
-NOTE: If you embed the server's config into the binary then the binary 
-will have key material in it - this could pose a security issue if the 
+NOTE: If you embed the server's config into the binary then the binary
+will have key material in it - this could pose a security issue if the
 binary itself is leaked. It's OK to embed client config in the client because
 client configs have no secrets.
 
@@ -80,11 +80,11 @@ To create a windows executable:
     ```
    Where velociraptor_windows.exe is the Windows binary release for
    Velociraptor.
-   
-2. If you need to sign the binary, now is the time. The signature will cover 
-   the embedded configuration as well. It is possible to update the embedded 
+
+2. If you need to sign the binary, now is the time. The signature will cover
+   the embedded configuration as well. It is possible to update the embedded
    config but this will invalidate the signature.
-   
+
 2. On a windows system you can now install the service:
     ```bash
     $ my_velociraptor.exe service install
@@ -146,6 +146,21 @@ To build from source, make sure you have a recent Golang installed:
     $ make windows
     ```
 
+If you want to rebuild the protobuf you will need to install protobuf compiler:
+
+   ```
+   $ wget https://github.com/protocolbuffers/protobuf/releases/download/v3.6.1/protoc-3.6.1-linux-x86_64.zip
+   $ unzip protoc-3.6.1-linux-x86_64.zip
+   $ sudo mv include/google/ /usr/include/
+   $ sudo mv bin/protoc /usr/bin/
+   $ go get github.com/golang/protobuf/protoc-gen-go/
+   $ go install github.com/golang/protobuf/protoc-gen-go/
+   $ go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
+   $ go install github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
+   $ ./make_proto.sh
+   ```
+
+
 ## Getting help
 
 Questions and feedback are welcome at velociraptor-discuss@googlegroups.com

diff --git a/actions/events.go b/actions/events.go
@@ -2,13 +2,13 @@ package actions
 
 import (
 	"context"
-	"log"
 	"sync"
 
 	actions_proto "www.velocidex.com/golang/velociraptor/actions/proto"
 	config "www.velocidex.com/golang/velociraptor/config"
 	crypto_proto "www.velocidex.com/golang/velociraptor/crypto/proto"
 	"www.velocidex.com/golang/velociraptor/events"
+	"www.velocidex.com/golang/velociraptor/logging"
 	"www.velocidex.com/golang/velociraptor/responder"
 )
 
@@ -26,12 +26,10 @@ func (self *UpdateEventTable) Run(
 		return
 	}
 
-	logger := log.New(&LogWriter{responder}, "", log.Lshortfile)
-
 	// Make a new table.
 	table, err := events.Update(responder, arg)
 	if err != nil {
-		logger.Printf("Error updating global event table: %v", err)
+		responder.Log("Error updating global event table: %v", err)
 	}
 
 	// Make a context for the VQL query.
@@ -45,21 +43,36 @@ func (self *UpdateEventTable) Run(
 		}
 	}()
 
+	logger := logging.NewLogger(config)
+
 	// Start a new query for each event.
 	action_obj := &VQLClientAction{}
-
 	var wg sync.WaitGroup
 	wg.Add(len(table.Events))
 
 	for _, event := range table.Events {
 		go func(event *actions_proto.VQLCollectorArgs) {
 			defer wg.Done()
 
+			name := ""
+			for _, q := range event.Query {
+				if q.Name != "" {
+					name = q.Name
+				}
+			}
+
+			logger.Info("Starting %s\n", name)
 			action_obj.StartQuery(
 				config, new_ctx, responder, event)
+
+			logger.Info("Finished %s\n", name)
 		}(event)
 	}
 
+	// Return an OK status. This is needed to make sure the
+	// request is de-queued.
+	responder.Return()
+
 	// Wait here for all queries to finish - this forces the
 	// output channel to be open and allows us to write results to
 	// the server.

diff --git a/actions/proto/actions.pb.go b/actions/proto/actions.pb.go