Windows file ops (osquery#4613)

ccombs-sqsp · Jul 15, 2018 · 352e3ff · 352e3ff
1 parent 61b6655
commit 352e3ff
Show file tree

Hide file tree

Showing 5 changed files with 382 additions and 50 deletions.
diff --git a/osquery/core/windows/process_ops.cpp b/osquery/core/windows/process_ops.cpp
@@ -24,47 +24,30 @@ std::string psidToString(PSID sid) {
 }
 
 int getUidFromSid(PSID sid) {
-  auto eUse = SidTypeUnknown;
-  unsigned long unameSize = 0;
-  unsigned long domNameSize = 1;
-
-  // LookupAccountSid first gets the size of the username buff required.
-  LookupAccountSidW(
-      nullptr, sid, nullptr, &unameSize, nullptr, &domNameSize, &eUse);
-  std::vector<wchar_t> uname(unameSize);
-  std::vector<wchar_t> domName(domNameSize);
-  auto ret = LookupAccountSidW(nullptr,
-                               sid,
-                               uname.data(),
-                               &unameSize,
-                               domName.data(),
-                               &domNameSize,
-                               &eUse);
-
-  if (ret == 0) {
-    return -1;
-  }
-  // USER_INFO_3 struct contains the RID (uid) of our user
-  unsigned long userInfoLevel = 3;
-  unsigned char* userBuff = nullptr;
   unsigned long uid = -1;
-  ret = NetUserGetInfo(nullptr, uname.data(), userInfoLevel, &userBuff);
-  if (ret != NERR_Success && ret != NERR_UserNotFound) {
+  LPTSTR sidString;
+  if (ConvertSidToStringSid(sid, &sidString) == 0) {
+    VLOG(1) << "getUidFromSid failed ConvertSidToStringSid error " +
+                   std::to_string(GetLastError());
+    LocalFree(sidString);
     return uid;
   }
+  auto toks = osquery::split(sidString, "-");
 
-  // SID belongs to a domain user, so we return the relative identifier (RID)
-  if (ret == NERR_UserNotFound) {
-    LPTSTR sidString;
-    ConvertSidToStringSid(sid, &sidString);
-    auto toks = osquery::split(sidString, "-");
-    safeStrtoul(toks.at(toks.size() - 1), 10, uid);
+  if (toks.size() < 1) {
     LocalFree(sidString);
-  } else if (ret == NERR_Success) {
-    uid = LPUSER_INFO_3(userBuff)->usri3_user_id;
+    return uid;
   }
 
-  NetApiBufferFree(userBuff);
+  auto ret = safeStrtoul(toks.at(toks.size() - 1), 10, uid);
+
+  if (!ret.ok()) {
+    LocalFree(sidString);
+    VLOG(1) << "getUidFromSid failed with safeStrtoul failed to parse PSID";
+    return uid;
+  }
+
+  LocalFree(sidString);
   return uid;
 }
 
@@ -101,6 +84,7 @@ int getGidFromSid(PSID sid) {
     auto toks = osquery::split(sidString, "-");
     safeStrtoul(toks.at(toks.size() - 1), 10, gid);
     LocalFree(sidString);
+
   } else if (ret == NERR_Success) {
     gid = LPUSER_INFO_3(userBuff)->usri3_primary_group_id;
   }

diff --git a/osquery/filesystem/fileops.h b/osquery/filesystem/fileops.h
@@ -15,7 +15,8 @@
 #include <sys/types.h>
 
 #ifdef WIN32
-
+#include <iomanip>
+#include <map>
 #include <windows.h>
 #else
 #include <unistd.h>
@@ -61,6 +62,38 @@ using PlatformTimeType = FILETIME;
 #define S_IXOTH (S_IXGRP >> 3)
 #define S_IRWXO (S_IRWXG >> 3)
 
+const std::map<std::int32_t, std::string> kDriveLetters{
+    {0, "A:\\"},  {1, "B:\\"},  {2, "C:\\"},  {3, "D:\\"},  {4, "E:\\"},
+    {5, "F:\\"},  {6, "G:\\"},  {7, "H:\\"},  {8, "I:\\"},  {9, "J:\\"},
+    {10, "K:\\"}, {11, "L:\\"}, {12, "M:\\"}, {13, "N:\\"}, {14, "O:\\"},
+    {15, "P:\\"}, {16, "Q:\\"}, {17, "R:\\"}, {18, "S:\\"}, {19, "T:\\"},
+    {20, "U:\\"}, {21, "V:\\"}, {22, "W:\\"}, {23, "X:\\"}, {24, "Y:\\"},
+    {25, "Z:\\"},
+};
+
+typedef struct win_stat {
+  std::string path;
+  std::string filename;
+  int symlink;
+  std::string file_id;
+  LONGLONG inode;
+  unsigned long uid;
+  unsigned long gid;
+  std::string mode;
+  LONGLONG device;
+  LONGLONG size;
+  int block_size;
+  LONGLONG atime;
+  LONGLONG mtime;
+  LONGLONG ctime;
+  LONGLONG btime;
+  int hard_links;
+  std::string type;
+  std::string attributes;
+  std::string volume_serial;
+
+} WINDOWS_STAT;
+
 #else
 
 using PlatformHandle = int;
@@ -72,6 +105,8 @@ typedef struct { PlatformTimeType times[2]; } PlatformTime;
 /// Constant for an invalid handle.
 const PlatformHandle kInvalidHandle = (PlatformHandle)-1;
 
+std::string lastErrorMessage(unsigned long);
+
 /**
  * @brief File access modes for PlatformFile.
  *
@@ -110,6 +145,12 @@ enum SeekMode { PF_SEEK_BEGIN = 0, PF_SEEK_CURRENT, PF_SEEK_END };
 /// Takes a Windows FILETIME object and returns seconds since epoch
 LONGLONG filetimeToUnixtime(const FILETIME& ft);
 
+LONGLONG longIntToUnixtime(LARGE_INTEGER& ft);
+
+std::string getFileAttribStr(unsigned long);
+
+Status platformStat(const boost::filesystem::path&, WINDOWS_STAT*);
+
 /**
  * @brief Stores information about the last Windows async request
  *