From 2bf31f331154f75731f02734d97a064edfb47a8d Mon Sep 17 00:00:00 2001 From: Oleg Dolgov Date: Mon, 25 May 2020 19:17:11 +0300 Subject: [PATCH] build sleuthkit under windows (#6445) --- CMakeLists.txt | 2 +- .../cmake/source/sleuthkit/CMakeLists.txt | 37 ++- .../sleuthkit/config/windows/tsk/tsk_config.h | 283 ++++++++++++++++++ osquery/tables/CMakeLists.txt | 2 +- specs/CMakeLists.txt | 6 +- tests/integration/tables/CMakeLists.txt | 6 +- 6 files changed, 315 insertions(+), 21 deletions(-) create mode 100644 libraries/cmake/source/sleuthkit/config/windows/tsk/tsk_config.h diff --git a/CMakeLists.txt b/CMakeLists.txt index 8c6c69fb5df..93df22408c1 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -117,7 +117,7 @@ function(importLibraries) "Linux,Darwin:popt" "Linux,Darwin,Windows:rapidjson" "Linux,Darwin,Windows:rocksdb" - "Linux,Darwin:sleuthkit" + "Linux,Darwin,Windows:sleuthkit" "Linux,Darwin:smartmontools" "Linux,Darwin,Windows:sqlite" "Linux,Darwin:ssdeep-cpp" diff --git a/libraries/cmake/source/sleuthkit/CMakeLists.txt b/libraries/cmake/source/sleuthkit/CMakeLists.txt index a20f1f37e86..14b0e9190d7 100644 --- a/libraries/cmake/source/sleuthkit/CMakeLists.txt +++ b/libraries/cmake/source/sleuthkit/CMakeLists.txt @@ -5,11 +5,6 @@ # the LICENSE file found in the root directory of this source tree. function(sleuthkitMain) - if(NOT DEFINED PLATFORM_LINUX AND NOT DEFINED PLATFORM_MACOS) - add_osquery_library(thirdparty_sleuthkit INTERFACE) - return() - endif() - set(library_root "${CMAKE_CURRENT_SOURCE_DIR}/src") add_library(thirdparty_sleuthkit INTERFACE) @@ -133,13 +128,15 @@ function(sleuthkitMain) _THREAD_SAFE ) - target_compile_options(thirdparty_sleuthkit_c PRIVATE - -pthread - ) + if(DEFINED PLATFORM_POSIX) + target_compile_options(thirdparty_sleuthkit_c PRIVATE + -pthread + ) - target_compile_options(thirdparty_sleuthkit_cpp PRIVATE - -pthread - ) + target_compile_options(thirdparty_sleuthkit_cpp PRIVATE + -pthread + ) + endif() target_link_libraries(thirdparty_sleuthkit_c PUBLIC thirdparty_zlib @@ -157,7 +154,17 @@ function(sleuthkitMain) thirdparty_cxx_settings ) - if(DEFINED PLATFORM_LINUX) + if(DEFINED PLATFORM_WINDOWS) + target_include_directories(thirdparty_sleuthkit_c PRIVATE + "${CMAKE_CURRENT_SOURCE_DIR}/config/windows/tsk" + "${CMAKE_CURRENT_SOURCE_DIR}/config/windows" + ) + + target_include_directories(thirdparty_sleuthkit_cpp PRIVATE + "${CMAKE_CURRENT_SOURCE_DIR}/config/windows/tsk" + "${CMAKE_CURRENT_SOURCE_DIR}/config/windows" + ) + elseif(DEFINED PLATFORM_LINUX) target_include_directories(thirdparty_sleuthkit_c PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/config/linux/tsk" "${CMAKE_CURRENT_SOURCE_DIR}/config/linux" @@ -187,7 +194,11 @@ function(sleuthkitMain) "${library_root}" ) - if(DEFINED PLATFORM_LINUX) + if(DEFINED PLATFORM_WINDOWS) + target_include_directories(thirdparty_sleuthkit SYSTEM INTERFACE + "${CMAKE_CURRENT_SOURCE_DIR}/config/windows" + ) + elseif(DEFINED PLATFORM_LINUX) target_include_directories(thirdparty_sleuthkit SYSTEM INTERFACE "${CMAKE_CURRENT_SOURCE_DIR}/config/linux" ) diff --git a/libraries/cmake/source/sleuthkit/config/windows/tsk/tsk_config.h b/libraries/cmake/source/sleuthkit/config/windows/tsk/tsk_config.h new file mode 100644 index 00000000000..79bce229b6e --- /dev/null +++ b/libraries/cmake/source/sleuthkit/config/windows/tsk/tsk_config.h @@ -0,0 +1,283 @@ +/* tsk/tsk_config.h. Generated from tsk_config.h.in by configure. */ +/* tsk/tsk_config.h.in. Generated from configure.ac by autoheader. */ + +/* Define to one of `_getb67', `GETB67', `getb67' for Cray-2 and Cray-YMP + systems. This function is required for `alloca.c' support on those systems. + */ +/* #undef CRAY_STACKSEG_END */ + +/* Define to 1 if using `alloca.c'. */ +/* #undef C_ALLOCA */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_AFFLIB_AFFLIB_H */ + +/* Define to 1 if you have `alloca', as a function or macro. */ +#define HAVE_ALLOCA 1 + +/* Define to 1 if you have and it should be used (not on Ultrix). + */ +/* #undef HAVE_ALLOCA_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_DLFCN_H */ + +/* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */ +/* #undef HAVE_DOPRNT */ + +/* Define to 1 if you have the `err' function. */ +/* #undef HAVE_ERR */ + +/* Define to 1 if you have the `errx' function. */ +/* #undef HAVE_ERRX */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_ERR_H */ + +/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */ +/* #undef HAVE_FSEEKO */ + +/* Define to 1 if you have the `getline' function. */ +/* #undef HAVE_GETLINE */ + +/* Define to 1 if you have the `getrusage' function. */ +/* #undef HAVE_GETRUSAGE */ + +/* Define to 1 if you have the header file. */ +#define HAVE_INTTYPES_H 1 + +/* Define to 1 if you have the `ishexnumber' function. */ +/* #undef HAVE_ISHEXNUMBER */ + +/* Define to 1 if you have the `afflib' library (-lafflib). */ +/* #undef HAVE_LIBAFFLIB */ + +/* Define to 1 if you have the `dl' library (-ldl). */ +/* #undef HAVE_LIBDL */ + +/* Define to 1 if you have the `ewf' library (-lewf). */ +/* #undef HAVE_LIBEWF */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_LIBEWF_H */ + +/* Define to 1 if you have the `pq' library (-lpq). */ +/* #undef HAVE_LIBPQ */ + +/* Define if using libpq. */ +/* #undef HAVE_LIBPQ_ */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_LIBPQ_FE_H */ + +/* Define to 1 if you have the `sqlite3' library (-lsqlite3). */ +#define HAVE_LIBSQLITE3 1 + +/* Define to 1 if you have the `stdc++' library (-lstdc++). */ +/* #undef HAVE_LIBSTDC__ */ + +/* Define to 1 if you have the `vhdi' library (-lvhdi). */ +/* #undef HAVE_LIBVHDI */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_LIBVHDI_H */ + +/* Define to 1 if you have the `vmdk' library (-lvmdk). */ +/* #undef HAVE_LIBVMDK */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_LIBVMDK_H */ + +/* Define to 1 if you have the `z' library (-lz). */ +#define HAVE_LIBZ 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_LIST */ + +/* Define to 1 if `lstat' has the bug that it succeeds when given the + zero-length file name argument. */ +/* #undef HAVE_LSTAT_EMPTY_STRING_BUG */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_MAP */ + +/* Define to 1 if you have the header file. */ +#define HAVE_MEMORY_H 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_POSTGRESQL_LIBPQ_FE_H */ + +/* Define if you have POSIX threads libraries and header files. */ +/* #undef HAVE_PTHREAD */ + +/* Define to 1 if you have the header file. */ +#define HAVE_QUEUE 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SET 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SQLITE3_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STACK 1 + +/* Define to 1 if stdbool.h conforms to C99. */ +#define HAVE_STDBOOL_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDINT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDLIB_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STREAMBUF 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRING 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRINGS_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRING_H 1 + +/* Define to 1 if you have the `strlcat' function. */ +/* #undef HAVE_STRLCAT */ + +/* Define to 1 if you have the `strlcpy' function. */ +/* #undef HAVE_STRLCPY */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_PARAM_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_RESOURCE_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_SELECT_H */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_SYS_SOCKET_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_STAT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TYPES_H 1 + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_UNISTD_H 1 */ + +/* Define to 1 if you have the header file. */ +/* #undef HAVE_UTIME_H */ + +/* Define to 1 if `utime(file, NULL)' sets file's timestamp to the present. */ +/* #undef HAVE_UTIME_NULL */ + +/* Define to 1 if you have the `vasprintf' function. */ +#define HAVE_VASPRINTF 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_VECTOR 1 + +/* Define to 1 if you have the `vprintf' function. */ +#define HAVE_VPRINTF 1 + +/* Define to 1 if you have the `warn' function. */ +/* #undef HAVE_WARN */ + +/* Define to 1 if you have the `warnx' function. */ +/* #undef HAVE_WARNX */ + +/* Define to 1 if you have the header file. */ +#define HAVE_ZLIB_H 1 + +/* Define to 1 if the system has the type `_Bool'. */ +#define HAVE__BOOL 1 + +/* Define to 1 if `lstat' dereferences a symlink specified with a trailing + slash. */ +/* #undef LSTAT_FOLLOWS_SLASHED_SYMLINK */ + +/* Define to the sub-directory where libtool stores uninstalled libraries. */ +#define LT_OBJDIR ".libs/" + +/* Name of package */ +#define PACKAGE "sleuthkit" + +/* Define to the address where bug reports for this package should be sent. */ +#define PACKAGE_BUGREPORT "" + +/* Define to the full name of this package. */ +#define PACKAGE_NAME "sleuthkit" + +/* Define to the full name and version of this package. */ +#define PACKAGE_STRING "sleuthkit 4.6.1" + +/* Define to the one symbol short name of this package. */ +#define PACKAGE_TARNAME "sleuthkit" + +/* Define to the home page for this package. */ +#define PACKAGE_URL "" + +/* Define to the version of this package. */ +#define PACKAGE_VERSION "4.6.1" + +/* Define to necessary symbol if this constant uses a non-standard name on + your system. */ +/* #undef PTHREAD_CREATE_JOINABLE */ + +/* Define to the type of arg 1 for `select'. */ +#define SELECT_TYPE_ARG1 int + +/* Define to the type of args 2, 3 and 4 for `select'. */ +#define SELECT_TYPE_ARG234 (fd_set *) + +/* Define to the type of arg 5 for `select'. */ +#define SELECT_TYPE_ARG5 (struct timeval *) + +/* If using the C implementation of alloca, define if you know the + direction of stack growth for your system; otherwise it will be + automatically deduced at runtime. + STACK_DIRECTION > 0 => grows toward higher addresses + STACK_DIRECTION < 0 => grows toward lower addresses + STACK_DIRECTION = 0 => direction of growth unknown */ +/* #undef STACK_DIRECTION */ + +/* Define to 1 if you have the ANSI C header files. */ +#define STDC_HEADERS 1 + +/* Version number of package */ +#define VERSION "4.6.1" + +/* Enable large inode numbers on Mac OS X 10.5. */ +/*#undef _DARWIN_USE_64_BIT_INODE */ + +/* Number of bits in a file offset, on hosts where this is settable. */ +/* #undef _FILE_OFFSET_BITS */ + +/* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */ +/* #undef _LARGEFILE_SOURCE */ + +/* Define for large files, on AIX-style hosts. */ +/* #undef _LARGE_FILES */ + +/* Define to empty if `const' does not conform to ANSI C. */ +/* #undef const */ + +/* Define to `int' if doesn't define. */ +/* #undef gid_t */ + +/* Define to `int' if does not define. */ +/* #undef mode_t */ + +/* Define to `long int' if does not define. */ +/* #undef off_t */ + +/* Define to `unsigned int' if does not define. */ +/* #undef size_t */ + +/* Define to `int' if doesn't define. */ +/* #undef uid_t */ diff --git a/osquery/tables/CMakeLists.txt b/osquery/tables/CMakeLists.txt index 8bc77dbcdfc..9b4417031e8 100644 --- a/osquery/tables/CMakeLists.txt +++ b/osquery/tables/CMakeLists.txt @@ -25,7 +25,6 @@ function(generateOsqueryTablesTableimplementations) if(DEFINED PLATFORM_POSIX) target_link_libraries(osquery_tables_tableimplementations INTERFACE - osquery_tables_sleuthkit_sleuthkittable osquery_tables_yara_yaratable osquery_tables_lldpd_llpdtable ) @@ -56,6 +55,7 @@ function(generateOsqueryTablesTableimplementations) osquery_tables_networking osquery_tables_system_systemtable osquery_tables_utility_utilitytable + osquery_tables_sleuthkit_sleuthkittable ) endfunction() diff --git a/specs/CMakeLists.txt b/specs/CMakeLists.txt index f40826dfedc..567ac21607d 100644 --- a/specs/CMakeLists.txt +++ b/specs/CMakeLists.txt @@ -240,9 +240,9 @@ function(generateNativeTables) "posix/usb_devices.table:linux,macos" "posix/user_events.table:linux,macos,freebsd" "posix/yum_sources.table:linux,macos,freebsd" - "sleuthkit/device_file.table:linux,macos,freebsd" - "sleuthkit/device_hash.table:linux,macos,freebsd" - "sleuthkit/device_partitions.table:linux,macos,freebsd" + "sleuthkit/device_file.table:linux,macos,freebsd,windows" + "sleuthkit/device_hash.table:linux,macos,freebsd,windows" + "sleuthkit/device_partitions.table:linux,macos,freebsd,windows" "smart/smart_drive_info.table:linux,macos" "user_groups.table:linux,macos,windows" "windows/bitlocker_info.table:windows" diff --git a/tests/integration/tables/CMakeLists.txt b/tests/integration/tables/CMakeLists.txt index ca81241ba53..e27c0669209 100644 --- a/tests/integration/tables/CMakeLists.txt +++ b/tests/integration/tables/CMakeLists.txt @@ -69,6 +69,9 @@ function(generateTestsIntegrationTablesTestsTest) users.cpp ssh_configs.cpp user_ssh_keys.cpp + device_file.cpp + device_hash.cpp + device_partitions.cpp ) if(DEFINED PLATFORM_POSIX) @@ -80,9 +83,6 @@ function(generateTestsIntegrationTablesTestsTest) block_devices.cpp cpu_time.cpp crontab.cpp - device_file.cpp - device_hash.cpp - device_partitions.cpp disk_encryption.cpp dns_resolvers.cpp docker_container_labels.cpp