Added support for the NT Kernel Logger ETW session (#3988)

This special ETW provider gives access to unique system based information as well as stacks: * registry - all registry interactions like keys/values * process - all processes start/stop * image_load - dll loading and mapping * network - inbound/outbound connections * driver - drivers loaded * file - file io like opening files/deleting files etc * handles - Any time a kernel handle is created
Velocidex · Jan 2, 2025 · 6244f40 · 6244f40
1 parent 368dd18
commit 6244f40
Show file tree

Hide file tree

Showing 46 changed files with 452 additions and 115 deletions.
diff --git a/api/artifacts.go b/api/artifacts.go
@@ -19,13 +19,13 @@ package api
 
 import (
 	"bytes"
+	"context"
 	"io/ioutil"
 	"regexp"
 	"strings"
 
 	"github.com/Velocidex/ordereddict"
 	errors "github.com/go-errors/errors"
-	context "golang.org/x/net/context"
 	"www.velocidex.com/golang/velociraptor/acls"
 	actions_proto "www.velocidex.com/golang/velociraptor/actions/proto"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"

diff --git a/api/assets.go b/api/assets.go
@@ -21,6 +21,7 @@ package api
 
 import (
 	"bytes"
+	"context"
 	"fmt"
 	"html/template"
 	"net/http"
@@ -30,7 +31,6 @@ import (
 	"github.com/andybalholm/brotli"
 	"github.com/gorilla/csrf"
 	"github.com/lpar/gzipped"
-	context "golang.org/x/net/context"
 	"www.velocidex.com/golang/velociraptor/api/proto"
 	api_utils "www.velocidex.com/golang/velociraptor/api/utils"
 	utils "www.velocidex.com/golang/velociraptor/api/utils"

diff --git a/api/authenticators/azure.go b/api/authenticators/azure.go
@@ -18,13 +18,13 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package authenticators
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
 
 	"github.com/sirupsen/logrus"
-	context "golang.org/x/net/context"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/microsoft"
 	"www.velocidex.com/golang/velociraptor/acls"

diff --git a/api/authenticators/github.go b/api/authenticators/github.go
@@ -18,13 +18,13 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package authenticators
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
 
 	"github.com/sirupsen/logrus"
-	context "golang.org/x/net/context"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/github"
 	"www.velocidex.com/golang/velociraptor/acls"

diff --git a/api/authenticators/google.go b/api/authenticators/google.go
@@ -18,6 +18,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package authenticators
 
 import (
+	"context"
 	"crypto/rand"
 	"encoding/base64"
 	"fmt"
@@ -29,7 +30,6 @@ import (
 	"github.com/Velocidex/ordereddict"
 	"github.com/gorilla/csrf"
 	"github.com/sirupsen/logrus"
-	context "golang.org/x/net/context"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	"www.velocidex.com/golang/velociraptor/acls"

diff --git a/api/authenticators/http.go b/api/authenticators/http.go
@@ -1,10 +1,10 @@
 package authenticators
 
 import (
+	"context"
 	"net/http"
 
 	oidc "github.com/coreos/go-oidc/v3/oidc"
-	context "golang.org/x/net/context"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
 	"www.velocidex.com/golang/velociraptor/vql/networking"
 )

diff --git a/api/datastore.go b/api/datastore.go
@@ -1,9 +1,9 @@
 package api
 
 import (
+	"context"
 	"sync"
 
-	context "golang.org/x/net/context"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"

diff --git a/api/download.go b/api/download.go
@@ -26,6 +26,7 @@
 package api
 
 import (
+	"context"
 	"fmt"
 	"html"
 	"io"
@@ -41,7 +42,6 @@ import (
 	errors "github.com/go-errors/errors"
 	"github.com/gorilla/schema"
 
-	context "golang.org/x/net/context"
 	"www.velocidex.com/golang/velociraptor/acls"
 	actions_proto "www.velocidex.com/golang/velociraptor/actions/proto"
 	"www.velocidex.com/golang/velociraptor/api/authenticators"

diff --git a/api/events.go b/api/events.go
@@ -1,7 +1,8 @@
 package api
 
 import (
-	context "golang.org/x/net/context"
+	"context"
+
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"

diff --git a/api/filesearch.go b/api/filesearch.go
@@ -2,13 +2,13 @@ package api
 
 import (
 	"bytes"
+	"context"
 	"encoding/hex"
 	"io"
 	"regexp"
 	"strings"
 
 	errors "github.com/go-errors/errors"
-	context "golang.org/x/net/context"
 	"www.velocidex.com/golang/velociraptor/acls"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	"www.velocidex.com/golang/velociraptor/file_store"

diff --git a/api/flows.go b/api/flows.go
@@ -1,7 +1,8 @@
 package api
 
 import (
-	context "golang.org/x/net/context"
+	"context"
+
 	"www.velocidex.com/golang/velociraptor/acls"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	"www.velocidex.com/golang/velociraptor/api/tables"

diff --git a/api/health.go b/api/health.go
@@ -1,7 +1,8 @@
 package api
 
 import (
-	context "golang.org/x/net/context"
+	"context"
+
 	"www.velocidex.com/golang/velociraptor/api/proto"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 )

diff --git a/api/hunts.go b/api/hunts.go
@@ -1,14 +1,14 @@
 package api
 
 import (
+	"context"
 	"fmt"
 	"strings"
 	"time"
 
 	"github.com/Velocidex/ordereddict"
 	errors "github.com/go-errors/errors"
 
-	context "golang.org/x/net/context"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"www.velocidex.com/golang/velociraptor/acls"

diff --git a/api/notebooks.go b/api/notebooks.go
@@ -1,14 +1,14 @@
 package api
 
 import (
+	"context"
 	"os"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/Velocidex/ordereddict"
 	errors "github.com/go-errors/errors"
-	context "golang.org/x/net/context"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"www.velocidex.com/golang/velociraptor/acls"

diff --git a/api/proxy.go b/api/proxy.go
@@ -18,6 +18,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package api
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -28,7 +29,6 @@ import (
 	errors "github.com/go-errors/errors"
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 
-	"golang.org/x/net/context"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/metadata"

diff --git a/api/reflect.go b/api/reflect.go
@@ -18,10 +18,10 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package api
 
 import (
+	"context"
 	"regexp"
 	"strings"
 
-	context "golang.org/x/net/context"
 	"google.golang.org/protobuf/types/known/emptypb"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	artifacts_proto "www.velocidex.com/golang/velociraptor/artifacts/proto"

diff --git a/api/reformat.go b/api/reformat.go
@@ -1,7 +1,8 @@
 package api
 
 import (
-	context "golang.org/x/net/context"
+	"context"
+
 	"www.velocidex.com/golang/velociraptor/acls"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	"www.velocidex.com/golang/velociraptor/services"

diff --git a/api/replication.go b/api/replication.go
@@ -1,6 +1,7 @@
 package api
 
 import (
+	"context"
 	"fmt"
 	"sort"
 	"strings"
@@ -11,7 +12,6 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"github.com/sirupsen/logrus"
-	context "golang.org/x/net/context"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"

diff --git a/api/reports.go b/api/reports.go
@@ -1,11 +1,11 @@
 package api
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
 	errors "github.com/go-errors/errors"
-	context "golang.org/x/net/context"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
 	"www.velocidex.com/golang/velociraptor/constants"

diff --git a/api/secrets.go b/api/secrets.go
@@ -1,8 +1,9 @@
 package api
 
 import (
+	"context"
+
 	"github.com/Velocidex/ordereddict"
-	context "golang.org/x/net/context"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"www.velocidex.com/golang/velociraptor/acls"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"

diff --git a/api/static.go b/api/static.go
@@ -12,6 +12,7 @@ package api
 
 import (
 	"bytes"
+	"context"
 	"io"
 	"io/fs"
 	"net/http"
@@ -24,7 +25,6 @@ import (
 	errors "github.com/go-errors/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
-	context "golang.org/x/net/context"
 	"www.velocidex.com/golang/velociraptor/services"
 )
 

diff --git a/api/tables/notebooks.go b/api/tables/notebooks.go
@@ -1,7 +1,8 @@
 package tables
 
 import (
-	context "golang.org/x/net/context"
+	"context"
+
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
 	"www.velocidex.com/golang/velociraptor/services"

diff --git a/api/tables/table.go b/api/tables/table.go
@@ -18,14 +18,14 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package tables
 
 import (
+	"context"
 	"io"
 	"regexp"
 	"strings"
 	"time"
 
 	"github.com/Velocidex/ordereddict"
 	errors "github.com/go-errors/errors"
-	context "golang.org/x/net/context"
 	file_store "www.velocidex.com/golang/velociraptor/file_store"
 	"www.velocidex.com/golang/velociraptor/file_store/api"
 	"www.velocidex.com/golang/velociraptor/file_store/path_specs"

diff --git a/api/tables/timelines.go b/api/tables/timelines.go
@@ -1,10 +1,10 @@
 package tables
 
 import (
+	"context"
 	"time"
 
 	errors "github.com/go-errors/errors"
-	context "golang.org/x/net/context"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
 	"www.velocidex.com/golang/velociraptor/json"

diff --git a/api/timelines.go b/api/timelines.go
@@ -1,10 +1,10 @@
 package api
 
 import (
+	"context"
 	"time"
 
 	"github.com/Velocidex/ordereddict"
-	context "golang.org/x/net/context"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"www.velocidex.com/golang/velociraptor/acls"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"

diff --git a/api/tools.go b/api/tools.go
@@ -1,7 +1,7 @@
 package api
 
 import (
-	context "golang.org/x/net/context"
+	"context"
 
 	"www.velocidex.com/golang/velociraptor/acls"
 	artifacts_proto "www.velocidex.com/golang/velociraptor/artifacts/proto"

diff --git a/api/users.go b/api/users.go
@@ -1,11 +1,11 @@
 package api
 
 import (
+	"context"
 	"errors"
 	"sort"
 
 	"github.com/Velocidex/ordereddict"
-	context "golang.org/x/net/context"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"

diff --git a/api/vfs.go b/api/vfs.go
@@ -62,10 +62,10 @@ GetVFSDownloadInfoPath().
 package api
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
-	context "golang.org/x/net/context"
 	"www.velocidex.com/golang/velociraptor/acls"
 	actions_proto "www.velocidex.com/golang/velociraptor/actions/proto"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"

diff --git a/api/vql.go b/api/vql.go
@@ -18,8 +18,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package api
 
 import (
+	"context"
+
 	"github.com/Velocidex/ordereddict"
-	context "golang.org/x/net/context"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
 	"www.velocidex.com/golang/velociraptor/json"

diff --git a/artifacts/definitions/Notebooks/SigmaStudio.yaml b/artifacts/definitions/Notebooks/SigmaStudio.yaml
@@ -16,7 +16,10 @@ parameters:
     default: Windows
     choices:
       - Windows
+      - WindowsEvents
       - Linux
+      - LinuxEvents
+
   - name: Debug
     description: Enable this to match all rules (even if they did not match) in order to see what detections matched.
     type: bool