"Fossies" - the Fresh Open Source Software Archive

Member "osquery-4.0.0/osquery/tables/system/windows/appcompat_shims.cpp" (28 Jun 2019, 3214 Bytes) of package /linux/misc/osquery-4.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "appcompat_shims.cpp" see the Fossies "Dox" file reference documentation.

    1 /**
    2  *  Copyright (c) 2014-present, Facebook, Inc.
    3  *  All rights reserved.
    4  *
    5  *  This source code is licensed in accordance with the terms specified in
    6  *  the LICENSE file found in the root directory of this source tree.
    7  */
    8 
    9 #include <string>
   10 
   11 #include <osquery/core.h>
   12 #include <osquery/tables.h>
   13 
   14 #include <osquery/utils/conversions/split.h>
   15 
   16 #include <osquery/tables/system/windows/registry.h>
   17 
   18 namespace osquery {
   19 namespace tables {
   20 
   21 struct sdb {
   22   std::string description;
   23   unsigned long long installTimestamp;
   24   std::string path;
   25   std::string type;
   26 };
   27 
   28 QueryData genShims(QueryContext& context) {
   29   QueryData results;
   30   QueryData sdbResults;
   31   QueryData shimResults;
   32   std::map<std::string, sdb> sdbs;
   33 
   34   queryKey(
   35       "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows "
   36       "NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB",
   37       sdbResults);
   38   for (const auto& rKey : sdbResults) {
   39     if (rKey.count("type") == 0 || rKey.count("path") == 0) {
   40       continue;
   41     }
   42     QueryData regResults;
   43     sdb sdb;
   44     std::string subkey = rKey.at("path");
   45     auto start = subkey.find('{');
   46     if (start == std::string::npos) {
   47       continue;
   48     }
   49     if (start > subkey.size()) {
   50       continue;
   51     }
   52     std::string sdbId = subkey.substr(start, subkey.length());
   53     // make sure it's a sane uninstall key
   54     queryKey(subkey, regResults);
   55     for (const auto& aKey : regResults) {
   56       if (aKey.count("name") == 0 || aKey.count("data") == 0) {
   57         continue;
   58       }
   59       if (aKey.at("name") == "DatabaseDescription") {
   60         sdb.description = aKey.at("data");
   61       }
   62       if (aKey.at("name") == "DatabaseInstallTimeStamp") {
   63         // take this crazy windows timestamp to a unix timestamp
   64         sdb.installTimestamp = std::stoull(aKey.at("data"));
   65         sdb.installTimestamp = (sdb.installTimestamp / 10000000) - 11644473600;
   66       }
   67       if (aKey.at("name") == "DatabasePath") {
   68         sdb.path = aKey.at("data");
   69       }
   70       if (aKey.at("name") == "DatabaseType") {
   71         sdb.type = aKey.at("data");
   72       }
   73     }
   74     sdbs[sdbId] = sdb;
   75   }
   76 
   77   queryKey(
   78       "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\"
   79       "CurrentVersion\\AppCompatFlags\\Custom",
   80       shimResults);
   81   for (const auto& rKey : shimResults) {
   82     if (rKey.count("type") == 0 || rKey.count("path") == 0 ||
   83         rKey.at("type") != "subkey") {
   84       continue;
   85     }
   86 
   87     QueryData regResults;
   88     std::string subkey = rKey.at("path");
   89     auto toks = split(rKey.at("path"), "\\");
   90     auto executable = toks[toks.size() - 1];
   91     queryKey(subkey, regResults);
   92     for (const auto& aKey : regResults) {
   93       Row r;
   94       std::string sdbId;
   95       if (aKey.at("name").length() > 4) {
   96         sdbId = aKey.at("name").substr(0, aKey.at("name").length() - 4);
   97       }
   98       if (sdbs.count(sdbId) == 0) {
   99         continue;
  100       }
  101       r["executable"] = executable;
  102       r["path"] = sdbs.at(sdbId).path;
  103       r["description"] = sdbs.at(sdbId).description;
  104       r["install_time"] = INTEGER(sdbs.at(sdbId).installTimestamp);
  105       r["type"] = sdbs.at(sdbId).type;
  106       r["sdb_id"] = sdbId;
  107       results.push_back(r);
  108     }
  109   }
  110 
  111   return results;
  112 }
  113 } // namespace tables
  114 } // namespace osquery