diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 806e7d1..0abd055 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -3,7 +3,7 @@ name: github pages on: push: branches: - - main # Set a branch to deploy + - master # Set a branch to deploy pull_request: jobs: @@ -37,7 +37,7 @@ jobs: - name: Deploy uses: peaceiris/actions-gh-pages@v3 - if: github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/master' with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/public diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 83f9e45..e7eaa68 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,9 +14,28 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@v3 + - name: Download Latest Velociraptor + uses: robinraju/release-downloader@v1 + id: velociraptor + with: + repository: velocidex/velociraptor + tag: v0.75 + fileName: "velociraptor-v0.75.2-linux-amd64-musl" + out-file-path: tests + + - name: Build artifacts + run: | + make all compile + + - name: Run Velociraptor + run: | + mv ${{ fromJson(steps.velociraptor.outputs.downloaded_files)[0]}} ./tests/velociraptor.bin + chmod +x ./tests/velociraptor.bin + ls -l ./output/ + ./tests/velociraptor.bin artifacts verify --builtin -v ./output/*.yaml + - name: Test shell: bash if: always() run: | - make go test -v ./... diff --git a/Makefile b/Makefile index 8d7ef7f..9b4f774 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,10 @@ windows: go build -o sqlitehunter_compiler.exe ./bin/*.go compile: FORCE - go run ./bin/ compile ./definitions/ ./output/SQLiteHunter.yaml --output_zip ./output/SQLiteHunter.zip --index ./docs/content/docs/rules/index.json + go run ./bin/ compile ./definitions/ ./output/SQLiteHunter.yaml --output_zip ./output/SQLiteHunter.zip --index ./docs/content/docs/rules/index.json && cp ./output/SQLiteHunter.yaml ./docs/static/artifact/ + +verify: compile + ./testing/velociraptor.bin -v artifacts verify ./output/*.yaml --builtin golden: compile ./testing/velociraptor.bin --definitions ./output --config ./testing/test.config.yaml golden --env testFiles=`pwd`/test_files ./testing/testcases -v --filter=${GOLDEN} diff --git a/docs/content/_index.md b/docs/content/_index.md index 53b79ed..288034a 100644 --- a/docs/content/_index.md +++ b/docs/content/_index.md @@ -1,8 +1,9 @@ --- title: SQLiteHunter Site date: 2023-10-15T00:14:44+10:00 +redirect: docs +layout: single +type: redirect --- -# The SQLite Hunter Site - -This project manages the `SQLiteHunter` artifact +Goto [Github](docs) diff --git a/docs/content/docs/_index.md b/docs/content/docs/_index.md index d85640f..fb4585e 100644 --- a/docs/content/docs/_index.md +++ b/docs/content/docs/_index.md @@ -1,18 +1,70 @@ --- title: SQLiteHunter Site date: 2023-10-15T00:14:44+10:00 +bookToc: false --- # The Velociraptor SQLiteHunter Site This repository maintains the source for the -Generic.Forensic.SQLiteHunter VQL artifact. This artifact is designed -to be an efficient and mostly automated artifact to analyze and -collect SQLite based artifacts from various applications on the +`Generic.Forensic.SQLiteHunter` VQL artifact. This artifact is +designed to be an efficient and mostly automated artifact to analyze +and collect SQLite based artifacts from various applications on the endpoint. The produced artifact is self contained and can be loaded into Velociraptor (https://docs.velociraptor.app) to hunt quickly and efficiently across a large number of endpoints. -You can download the latest artifact pack [here]( +You can download the latest artifact pack [as a zip +file](/SQLiteHunter.zip), or [as a YAML +file](../artifact/SQLiteHunter.yaml) and add it manually to +Velociraptor. + +## Parameters + +1. **RuleFilter**: If you dont want to run all the rules, you can + filter the ones you need using this regular expression. + +2. **Rules**: Alteratively, the rules may be specified one at the time + using a multi-choice selector. + +3. **MatchFilename**: Rules generally look for SQLite files using + known filenames. If this option is unset, we relay on automatic + detection to identify the filenames (For example, enumerate the + tables in the SQLite file). This makes scanning much slower so by + default this setting is enabled. + +4. **CustomGlob**: Rules default to search for SQLites using known + globs. However, if you have a bunch of SQLite files in a different + location, you may specify the custom glob to search for files. + +5. **DateAfter** and **DateBefore**: These setting allow you to time + box the returned rows to only return items that occurred between + the specified dates. + +6. **FilterRegex**: A filter that applies on the entire row (encoded + as JSON). This is very useful to find all relevant rows relating to + a specific item. For example, if you want to know any rows + accessing www.example.com you can specify this filter which will + return records like `Visited links`, `bookmarks`, `favicons` etc. + +7. **SQLITE_ALWAYS_MAKE_TEMPFILE**: By default Velociraptor will make + a temporary copy of the SQLite file before parsing it. This ensure + the file is not locked and can be freely accessed. If this setting + is set to off parsing might be a lot slower as Velociraptor will + have to contend with application locks. There is probably no reason + to disable this. + +8. **AlsoUpload**: This option also uploads the raw SQLite files. + + +## Artifact + +
+
+
+{{< insert "../static/artifact/SQLiteHunter.yaml" >}}
+
+
+
diff --git a/docs/content/docs/github/_index.md b/docs/content/docs/github/_index.md new file mode 100644 index 0000000..00d7061 --- /dev/null +++ b/docs/content/docs/github/_index.md @@ -0,0 +1,10 @@ +--- +title: Github +type: redirect +redirect: https://github.com/Velocidex/SQLiteHunter +layout: single +IconClass: fa-brands fa-github +weight: 30 +--- + +Goto [Github](https://github.com/Velocidex/SQLiteHunter) diff --git a/docs/content/docs/rules/_index.md b/docs/content/docs/rules/_index.md index ff45833..eaa1709 100644 --- a/docs/content/docs/rules/_index.md +++ b/docs/content/docs/rules/_index.md @@ -2,6 +2,7 @@ title: Rules weight: 20 bookToc: false +IconClass: fa-solid fa-book --- # The SQLiteHunter rules diff --git a/docs/content/docs/sqlite_hunter/_index.md b/docs/content/docs/sqlite_hunter/_index.md index 8fb4eb3..d5bccd6 100644 --- a/docs/content/docs/sqlite_hunter/_index.md +++ b/docs/content/docs/sqlite_hunter/_index.md @@ -2,6 +2,7 @@ title: "Velociraptor SQLite Hunter" date: 2024-04-01 weight: 10 +IconClass: fa-solid fa-desktop --- # SQLite Hunter diff --git a/docs/layouts/partials/docs/title.html b/docs/layouts/partials/docs/title.html new file mode 100644 index 0000000..a392d61 --- /dev/null +++ b/docs/layouts/partials/docs/title.html @@ -0,0 +1,22 @@ + +{{ $title := "" }} + +{{ if .LinkTitle }} + {{ $title = .LinkTitle }} +{{ else if .Title }} + {{ $title = .Title }} +{{ else if and .IsSection .File }} + {{ $title = path.Base .File.Dir | humanize | title }} +{{ else if and .IsPage .File }} + {{ $title = .File.BaseFileName | humanize | title }} +{{ end }} + +{{- if .Params.IconClass }} + + + +{{ end -}} +{{ $title }} diff --git a/docs/layouts/redirect/single.html b/docs/layouts/redirect/single.html new file mode 100644 index 0000000..7a1f3c0 --- /dev/null +++ b/docs/layouts/redirect/single.html @@ -0,0 +1,6 @@ + + + + + + diff --git a/docs/layouts/shortcodes/insert.html b/docs/layouts/shortcodes/insert.html new file mode 100644 index 0000000..f99243d --- /dev/null +++ b/docs/layouts/shortcodes/insert.html @@ -0,0 +1,6 @@ +{{- $file := .Get 0 }} +{{ $FullPath := printf "%s/%s" .Page.File.Dir $file }} +{{- readFile $FullPath -}} + +{{ .Page.File.Dir }}{{ $file }} + diff --git a/docs/layouts/shortcodes/ruleset.html b/docs/layouts/shortcodes/ruleset.html index 29d2f0c..2217d94 100644 --- a/docs/layouts/shortcodes/ruleset.html +++ b/docs/layouts/shortcodes/ruleset.html @@ -28,10 +28,24 @@ let all_data = []; +function trimHash(input) { + if(input.startsWith("#")) { + return input.slice(1) + }; + return input; +} + $.ajax({ url: {{ .Get 0 }}, }).done(function( data ) { all_data = data; + let input = document.getElementById('myInput'); + if(input) { + input.value = trimHash(decodeURI(window.location.hash)); + doSearch(); + return; + }; + DrawResults(data); }); @@ -98,13 +112,15 @@ let input = document.getElementById('myInput'); let filter = input.value.toUpperCase(); + window.location.hash = encodeURI(input.value); + let result = []; for(let i=0;i 50) { + if (result.length > 500) { break; } }; @@ -116,6 +132,10 @@ $(".search_results").empty(); $("span.total-count").text("Total " + data.length); + data = data.sort(function(a,b) { + return a.Name < b.Name ? -1 : 1; + }); + let most_results = data.length; if(most_results > 50) { most_results = 50; @@ -126,8 +146,13 @@ let template = $(`
-

+

+ + + +
+

@@ -142,6 +167,10 @@
`); template.find(".title").append(item.Name); + let link = new URL(window.location.href); + link.hash = encodeURI(item.Name); + template.find("a.new-tab").attr("href", link); + template.find(".author").append(item.Author); template.find(".description").append(item.Description || item.Comment || item.Name); template.find(".title").click(function() { diff --git a/docs/static/artifact/.gitignore b/docs/static/artifact/.gitignore new file mode 100644 index 0000000..2a61605 --- /dev/null +++ b/docs/static/artifact/.gitignore @@ -0,0 +1 @@ +*.yaml \ No newline at end of file