Update website

.github/workflows/gh-pages.yml

@@ -3,7 +3,7 @@ name: github pages
 on:
   push:
     branches:
-      - main  # Set a branch to deploy
+      - master  # Set a branch to deploy
   pull_request:
 
 jobs:
@@ -37,7 +37,7 @@ jobs:
 
       - name: Deploy
         uses: peaceiris/actions-gh-pages@v3
-        if: github.ref == 'refs/heads/main'
+        if: github.ref == 'refs/heads/master'
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./docs/public

.github/workflows/test.yml

@@ -14,9 +14,28 @@ jobs:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v3
 
+    - name: Download Latest Velociraptor
+      uses: robinraju/release-downloader@v1
+      id: velociraptor
+      with:
+        repository: velocidex/velociraptor
+        tag: v0.75
+        fileName: "velociraptor-v0.75.2-linux-amd64-musl"
+        out-file-path: tests
+
+    - name: Build artifacts
+      run: |
+        make all compile
+
+    - name: Run Velociraptor
+      run: |
+        mv ${{ fromJson(steps.velociraptor.outputs.downloaded_files)[0]}} ./tests/velociraptor.bin
+        chmod +x ./tests/velociraptor.bin
+        ls -l ./output/
+        ./tests/velociraptor.bin artifacts verify --builtin -v ./output/*.yaml
+
     - name: Test
       shell: bash
       if: always()
       run: |
-        make
         go test -v ./...

Makefile

@@ -8,7 +8,10 @@ windows:
 	go build -o sqlitehunter_compiler.exe ./bin/*.go
 
 compile: FORCE
-	go run ./bin/ compile ./definitions/ ./output/SQLiteHunter.yaml --output_zip ./output/SQLiteHunter.zip --index ./docs/content/docs/rules/index.json
+	go run ./bin/ compile ./definitions/ ./output/SQLiteHunter.yaml --output_zip ./output/SQLiteHunter.zip --index ./docs/content/docs/rules/index.json && cp ./output/SQLiteHunter.yaml ./docs/static/artifact/
+
+verify: compile
+	./testing/velociraptor.bin -v artifacts verify ./output/*.yaml --builtin
 
 golden: compile
 	./testing/velociraptor.bin --definitions ./output --config ./testing/test.config.yaml golden --env testFiles=`pwd`/test_files ./testing/testcases -v --filter=${GOLDEN}

docs/content/_index.md

@@ -1,8 +1,9 @@
 ---
 title: SQLiteHunter Site
 date: 2023-10-15T00:14:44+10:00
+redirect: docs
+layout: single
+type: redirect
 ---
 
-# The SQLite Hunter Site
-
-This project manages the `SQLiteHunter` artifact
+Goto [Github](docs)

docs/content/docs/_index.md

@@ -1,18 +1,70 @@
 ---
 title: SQLiteHunter Site
 date: 2023-10-15T00:14:44+10:00
+bookToc: false
 ---
 
 # The Velociraptor SQLiteHunter Site
 
 This repository maintains the source for the
-Generic.Forensic.SQLiteHunter VQL artifact. This artifact is designed
-to be an efficient and mostly automated artifact to analyze and
-collect SQLite based artifacts from various applications on the
+`Generic.Forensic.SQLiteHunter` VQL artifact. This artifact is
+designed to be an efficient and mostly automated artifact to analyze
+and collect SQLite based artifacts from various applications on the
 endpoint.
 
 The produced artifact is self contained and can be loaded into
 Velociraptor (https://docs.velociraptor.app) to hunt quickly and
 efficiently across a large number of endpoints.
 
-You can download the latest artifact pack [here](
+You can download the latest artifact pack [as a zip
+file](/SQLiteHunter.zip), or [as a YAML
+file](../artifact/SQLiteHunter.yaml) and add it manually to
+Velociraptor.
+
+## Parameters
+
+1. **RuleFilter**: If you dont want to run all the rules, you can
+   filter the ones you need using this regular expression.
+
+2. **Rules**: Alteratively, the rules may be specified one at the time
+   using a multi-choice selector.
+
+3. **MatchFilename**: Rules generally look for SQLite files using
+   known filenames. If this option is unset, we relay on automatic
+   detection to identify the filenames (For example, enumerate the
+   tables in the SQLite file). This makes scanning much slower so by
+   default this setting is enabled.
+
+4. **CustomGlob**: Rules default to search for SQLites using known
+   globs. However, if you have a bunch of SQLite files in a different
+   location, you may specify the custom glob to search for files.
+
+5. **DateAfter** and **DateBefore**: These setting allow you to time
+   box the returned rows to only return items that occurred between
+   the specified dates.
+
+6. **FilterRegex**: A filter that applies on the entire row (encoded
+   as JSON). This is very useful to find all relevant rows relating to
+   a specific item. For example, if you want to know any rows
+   accessing www.example.com you can specify this filter which will
+   return records like `Visited links`, `bookmarks`, `favicons` etc.
+
+7. **SQLITE_ALWAYS_MAKE_TEMPFILE**: By default Velociraptor will make
+   a temporary copy of the SQLite file before parsing it. This ensure
+   the file is not locked and can be freely accessed. If this setting
+   is set to off parsing might be a lot slower as Velociraptor will
+   have to contend with application locks. There is probably no reason
+   to disable this.
+
+8. **AlsoUpload**: This option also uploads the raw SQLite files.
+
+
+## Artifact
+
+<div style="max-height: 500px; overflow-y: auto; ">
+<pre >
+<code style="margin-top: -40px;font-size: medium;" class="language-yaml">
+{{< insert "../static/artifact/SQLiteHunter.yaml" >}}
+</code>
+</pre>
+</div>

docs/content/docs/github/_index.md

@@ -0,0 +1,10 @@
+---
+title: Github
+type: redirect
+redirect: https://github.com/Velocidex/SQLiteHunter
+layout: single
+IconClass: fa-brands fa-github
+weight: 30
+---
+
+Goto [Github](https://github.com/Velocidex/SQLiteHunter)

docs/content/docs/rules/_index.md

@@ -2,6 +2,7 @@
 title: Rules
 weight: 20
 bookToc: false
+IconClass: fa-solid fa-book
 ---
 
 # The SQLiteHunter rules

docs/content/docs/sqlite_hunter/_index.md

@@ -2,6 +2,7 @@
 title: "Velociraptor SQLite Hunter"
 date: 2024-04-01
 weight: 10
+IconClass: fa-solid fa-desktop
 ---
 
 # SQLite Hunter

docs/layouts/partials/docs/title.html

@@ -0,0 +1,22 @@
+<!--
+  Partial to generate page name from Title or File name.
+  Accepts Page as context
+-->
+{{ $title := "" }}
+
+{{ if .LinkTitle }}
+  {{ $title = .LinkTitle }}
+{{ else if .Title }}
+  {{ $title = .Title }}
+{{ else if and .IsSection .File }}
+  {{ $title = path.Base .File.Dir | humanize | title }}
+{{ else if and .IsPage .File }}
+  {{ $title = .File.BaseFileName | humanize | title }}
+{{ end }}
+
+{{- if .Params.IconClass }}
+<span class="icon">
+  <i class="{{ .Params.IconClass }}"></i>
+</span>
+{{ end -}}
+{{ $title }}

docs/layouts/redirect/single.html

@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<head>
+  <meta http-equiv="content-type" content="text/html; charset=utf-8">
+  <meta http-equiv="refresh" content="0; url={{.Params.redirect}}">
+</head>
+</html>

docs/layouts/shortcodes/insert.html

@@ -0,0 +1,6 @@
+{{- $file := .Get 0 }}
+{{ $FullPath := printf "%s/%s" .Page.File.Dir $file }}
+{{- readFile $FullPath -}}
+
+{{ .Page.File.Dir  }}{{ $file }}
+<script>hljs.highlightAll();</script>

docs/layouts/shortcodes/ruleset.html

@@ -28,10 +28,24 @@
 
 let all_data = [];
 
+function trimHash(input) {
+  if(input.startsWith("#")) {
+      return input.slice(1)
+  };
+  return input;
+}
+
 $.ajax({
     url: {{ .Get 0 }},
 }).done(function( data ) {
   all_data = data;
+  let input = document.getElementById('myInput');
+  if(input) {
+      input.value = trimHash(decodeURI(window.location.hash));
+      doSearch();
+      return;
+  };
+
   DrawResults(data);
 });
 
@@ -98,13 +112,15 @@
   let input = document.getElementById('myInput');
   let filter = input.value.toUpperCase();
 
+  window.location.hash = encodeURI(input.value);
+
   let result = [];
   for(let i=0;i<all_data.length; i++) {
       let item = all_data[i];
       if (matchItem(filter, item)) {
           result.push(item);
       };
-      if (result.length > 50) {
+      if (result.length > 500) {
           break;
       }
   };
@@ -116,6 +132,10 @@
     $(".search_results").empty();
     $("span.total-count").text("Total " + data.length);
 
+    data = data.sort(function(a,b) {
+        return a.Name < b.Name ? -1 : 1;
+    });
+
     let most_results = data.length;
     if(most_results > 50) {
         most_results = 50;
@@ -126,8 +146,13 @@
       let template = $(`
 <div class="panel panel-default color">
   <div class="panel-heading color">
-    <a class="title" target="new" href=""><h3 class="panel-title color " ></h3></a>
+    <h3 class="panel-title color " >
+    <a class="new-tab" href="#" title="NewPage" target="_blank">
+       <i class="fa-solid fa-arrow-up-right-from-square"></i>
+    </a>
+    <a class="title" target="new" href=""></a>
     <div class="author pull-right"></div>
+    </h3>
   </div>
   <div class="panel-body color">
     <div class="border color">
@@ -142,6 +167,10 @@
 </div>`);
 
       template.find(".title").append(item.Name);
+      let link = new URL(window.location.href);
+      link.hash = encodeURI(item.Name);
+      template.find("a.new-tab").attr("href", link);
+
       template.find(".author").append(item.Author);
       template.find(".description").append(item.Description || item.Comment || item.Name);
       template.find(".title").click(function() {

docs/static/artifact/.gitignore

@@ -0,0 +1 @@
+*.yaml