common

package
v0.55.0-rc.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 5, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package common contains helpers for Windows E2E tests

Index

Constants

View Source
const (

	// dwServiceType
	SERVICE_KERNEL_DRIVER       = 0x00000001
	SERVICE_FILE_SYSTEM_DRIVER  = 0x00000002
	SERVICE_WIN32_OWN_PROCESS   = 0x00000010
	SERVICE_WIN32_SHARE_PROCESS = 0x00000020

	// dwStartType
	SERVICE_SYSTEM_START = 1
	SERVICE_AUTO_START   = 2
	SERVICE_DEMAND_START = 3
	SERVICE_DISABLED     = 4
)

Service API constants https://learn.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-query_service_configa

Variables

This section is empty.

Functions

func ClearEventLog added in v0.54.0

func ClearEventLog(host *components.RemoteHost, logName string) error

ClearEventLog clears an event log

func ConvertUTF16ToUTF8

func ConvertUTF16ToUTF8(content []byte) ([]byte, error)

ConvertUTF16ToUTF8 converts a byte slice from UTF-16 to UTF-8

UTF-16 little-endian (UTF-16LE) is the encoding standard in the Windows operating system. https://learn.microsoft.com/en-us/globalization/encoding/transformations-of-unicode-code-points

func DisableDefender

func DisableDefender(host *components.RemoteHost) error

DisableDefender disables Windows Defender.

NOTE: Microsoft recently deprecated/removed/disabled the registry keys that were used to disable Windows Defender. This means the WinDefend service will still be running, but it should not interfere (as much). https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware

TODO: Microsoft "recommends" to uninstall defender, but this only works on Windows Server and it requires a reboot.

func DotSlashNameToLogonName

func DotSlashNameToLogonName(host *components.RemoteHost, user string) (string, error)

DotSlashNameToLogonName converts a .\username to a hostname\username.

Simply stripping the .\ prefix is not sufficient because isolated named are ambiguous and may resolve to a domain account rather than a local account.

SCM uses .\ to specify the local machine when returning a local service account name.

func DownloadFile

func DownloadFile(host *components.RemoteHost, url string, destination string) error

DownloadFile downloads a file on the VM from a http/https URL

func ExportEventLog added in v0.54.0

func ExportEventLog(host *components.RemoteHost, logName string, outputPath string) error

ExportEventLog exports an event log to a file

func FindPID

func FindPID(host *components.RemoteHost, pattern string) ([]int, error)

FindPID returns a list of PIDs for processes that match the given pattern

func GetEventLogErrorsAndWarnings added in v0.54.0

func GetEventLogErrorsAndWarnings(host *components.RemoteHost, logName string) (string, error)

GetEventLogErrorsAndWarnings returns a formatted list of errors and warnings from an event log

func GetHostname

func GetHostname(host *components.RemoteHost) (string, error)

GetHostname returns the hostname of the VM

func GetJoinedDomain

func GetJoinedDomain(host *components.RemoteHost) (string, error)

GetJoinedDomain returns the domain that the host is joined to

func GetProductCodeByName

func GetProductCodeByName(host *components.RemoteHost, name string) (string, error)

GetProductCodeByName returns the product code GUID for the given product name

func GetRegistryValue

func GetRegistryValue(host *components.RemoteHost, path string, value string) (string, error)

GetRegistryValue returns a registry value from a remote host

func GetSIDForUser

func GetSIDForUser(host *components.RemoteHost, user string) (string, error)

GetSIDForUser returns the SID for the given user.

user can be of the following forms

  • username
  • hostname\username
  • domain\username
  • username@domain

func GetServiceAccountName

func GetServiceAccountName(host *components.RemoteHost, service string) (string, error)

GetServiceAccountName returns the account name that the service runs as

func GetServiceAliasSID

func GetServiceAliasSID(alias string) (string, error)

GetServiceAliasSID returns the SID for a special SCM account alias

https://learn.microsoft.com/en-us/windows/win32/services/service-user-accounts

func GetServiceImagePath added in v0.54.0

func GetServiceImagePath(host *components.RemoteHost, service string) (string, error)

GetServiceImagePath returns the image path (command line) of the service

func GetServicePID added in v0.54.0

func GetServicePID(host *components.RemoteHost, service string) (int, error)

GetServicePID returns the PID of the service

func GetServiceStatus

func GetServiceStatus(host *components.RemoteHost, service string) (string, error)

GetServiceStatus returns the status of the service

func GetUserRights

func GetUserRights(host *components.RemoteHost) (map[string][]string, error)

GetUserRights returns a map of user rights to a list of users that have them

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment

func GetUserRightsForUser

func GetUserRightsForUser(host *components.RemoteHost, user string) ([]string, error)

GetUserRightsForUser returns a list of user rights for the given user

func InstallMSI

func InstallMSI(host *components.RemoteHost, msiPath string, args string, logPath string) error

InstallMSI installs an MSI on the VM with the provided args and collects the install log

args may need to be escaped/quoted, see MsiExec() for details

func IsKernelModeServiceType added in v0.54.0

func IsKernelModeServiceType(serviceType int) bool

IsKernelModeServiceType returns true if the service is a kernel mode service

func IsProcessRunning

func IsProcessRunning(host *components.RemoteHost, imageName string) (bool, error)

IsProcessRunning returns true if process is running

func IsTamperProtected

func IsTamperProtected(host *components.RemoteHost) (bool, error)

IsTamperProtected returns true if Windows Defender is tamper protected. If true, then Windows Defender cannot be disabled programatically and must be disabled through the UI.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device

func IsUserModeServiceType added in v0.54.0

func IsUserModeServiceType(serviceType int) bool

IsUserModeServiceType returns true if the service is a user mode service

func MakeDownLevelLogonName

func MakeDownLevelLogonName(domain string, user string) string

MakeDownLevelLogonName joins a user and domain into a single string, e.g. DOMAIN\user

domain is converted to NetBIOS format per the MSDN definition.

If domain is empty then the user is returned as-is. Use caution in this case as the isolated name may be ambiguous.

https://learn.microsoft.com/en-us/windows/win32/secauthn/user-name-formats#down-level-logon-name

func MsiExec

func MsiExec(host *components.RemoteHost, operation string, product string, args string, logPath string) error

MsiExec runs msiexec on the VM with the provided operation and args and collects the log

args may need to be escaped/quoted. The Start-Process ArgumentList parameter value is wrapped in single quotes. For example:

func NameToNetBIOSName

func NameToNetBIOSName(name string) string

NameToNetBIOSName converts a given host or DNS name into a NetBIOS formatted name

Warning: This is not necessarily the actual NetBIOS name of the host, as it can be configured separately from the DNS name.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou

func PutOrDownloadFile

func PutOrDownloadFile(host *components.RemoteHost, url string, destination string) error

PutOrDownloadFile creates a file on the VM from a file/http URL

If the URL is a local file, it will be uploaded to the VM. If the URL is a remote file, it will be downloaded from the VM

func RegistryKeyExists added in v0.54.0

func RegistryKeyExists(host *components.RemoteHost, path string) (bool, error)

RegistryKeyExists returns true if the registry key exists on the remote host

func RemoveLocalUser added in v0.54.0

func RemoveLocalUser(host *components.RemoteHost, user string) error

RemoveLocalUser Removes a local user account NOTE: this does not remove the user profile, which without a reboot is probably locked by the system.

func RepairAllMSI

func RepairAllMSI(host *components.RemoteHost, msiPath string, args string, logPath string) error

RepairAllMSI repairs an MSI with /fa on the VM and collects the repair log

/fa: a - forces all files to be reinstalled

args may need to be escaped/quoted, see MsiExec() for details

func RestartService

func RestartService(host *components.RemoteHost, service string) error

RestartService restarts the service

func StartService

func StartService(host *components.RemoteHost, service string) error

StartService starts the service

func StopService

func StopService(host *components.RemoteHost, service string) error

StopService stops the service

func TrimTrailingSlashesAndLower added in v0.54.0

func TrimTrailingSlashesAndLower(path string) string

TrimTrailingSlashesAndLower trims trailing slashes and lowercases the path for use in simple comparisons.

Some cases may require a more comprehensive comparison, which could be made by normalizing the path on the host via PowerShell, to support removing dot paths, resolving links, etc

func UninstallMSI

func UninstallMSI(host *components.RemoteHost, msiPath string, logPath string) error

UninstallMSI uninstalls an MSI on the VM and collects the uninstall log

Types

type AuthenticodeCertificate

type AuthenticodeCertificate struct {
	Subject    string `json:"Subject"`
	Issuer     string `json:"Issuer"`
	Thumbprint string `json:"Thumbprint"`
}

AuthenticodeCertificate represents the certificate used to sign the file

type AuthenticodeSignature

type AuthenticodeSignature struct {
	SignerCertificate AuthenticodeCertificate `json:"SignerCertificate"`
	Status            int                     `json:"Status"`
	StatusMessage     string                  `json:"StatusMessage"`
}

AuthenticodeSignature is the result of GetAuthenticodeSignature()

func GetAuthenticodeSignature

func GetAuthenticodeSignature(host *components.RemoteHost, path string) (*AuthenticodeSignature, error)

GetAuthenticodeSignature returns the Authenticode signature of the file https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-authenticodesignature

func (*AuthenticodeSignature) Valid

func (s *AuthenticodeSignature) Valid() bool

Valid returns true if the signature is valid.

type BoundPort

type BoundPort struct {
	// contains filtered or unexported fields
}

BoundPort represents a port that is bound to a process

func ListBoundPorts

func ListBoundPorts(host *components.RemoteHost) ([]*BoundPort, error)

ListBoundPorts returns a list of bound ports

func (*BoundPort) LocalAddress

func (b *BoundPort) LocalAddress() string

LocalAddress returns the local address of the bound port

func (*BoundPort) LocalPort

func (b *BoundPort) LocalPort() int

LocalPort returns the local port of the bound port

func (*BoundPort) PID

func (b *BoundPort) PID() int

PID returns the PID of the bound port

func (*BoundPort) Process

func (b *BoundPort) Process() string

Process returns the process name of the bound port

type FileSystemSnapshot

type FileSystemSnapshot struct {
	// contains filtered or unexported fields
}

FileSystemSnapshot represents a snapshot of the system files that can be used to compare against later

func NewFileSystemSnapshot

func NewFileSystemSnapshot(host *components.RemoteHost, pathsToIgnore []string) (*FileSystemSnapshot, error)

NewFileSystemSnapshot takes a snapshot of the system files that can be used to compare against later. The snapshot is overridden if it already exists.

func (*FileSystemSnapshot) Cleanup

func (fs *FileSystemSnapshot) Cleanup() error

Cleanup removes the snapshot if it exists

func (*FileSystemSnapshot) CompareSnapshots

func (fs *FileSystemSnapshot) CompareSnapshots(other *FileSystemSnapshot) (string, error)

CompareSnapshots compares two system file snapshots and returns a list of files that are missing in the second snapshot

func (*FileSystemSnapshot) Validate

func (fs *FileSystemSnapshot) Validate() error

Validate ensures the snapshot file exists and is a reasonable size

type HostInfo

type HostInfo struct {
	Hostname string
	Domain   string
	OSInfo   *OSInfo
}

HostInfo contains information about a Windows host, such as the hostname and version

func GetHostInfo

func GetHostInfo(host *components.RemoteHost) (*HostInfo, error)

GetHostInfo returns HostInfo for the given VM

func (*HostInfo) IsDomainController

func (h *HostInfo) IsDomainController() bool

IsDomainController returns true if the host is a domain controller

type Identity

type Identity struct {
	Name string
	SID  string
}

Identity contains the name and SID of an identity (user or group)

func GetADGroupMembers

func GetADGroupMembers(host *components.RemoteHost, group string) ([]Identity, error)

GetADGroupMembers returns the list of members of the given AD group

func GetLocalGroupMembers

func GetLocalGroupMembers(host *components.RemoteHost, group string) ([]Identity, error)

GetLocalGroupMembers returns the list of members of the given local group

func (Identity) GetName

func (i Identity) GetName() string

GetName returns the name of the identity

func (Identity) GetSID

func (i Identity) GetSID() string

GetSID returns the SID of the identity

type OSInfo

type OSInfo struct {
	WindowsDirectory string `json:"WindowsDirectory"`
	Version          string `json:"Version"`
	SystemDrive      string `json:"SystemDrive"`
	SystemDirectory  string `json:"SystemDirectory"`
	ProductType      int    `json:"ProductType"`
	OSType           int    `json:"OSType"`
	OSProductSuite   int    `json:"OSProductSuite"`
	OSLanguage       int    `json:"OSLanguage"`
	Locale           string `json:"Locale"`
	BuildNumber      string `json:"BuildNumber"`
	Caption          string `json:"Caption"`
}

OSInfo contains a selection of values from: Get-WmiObject Win32_OperatingSystem https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-operatingsystem

func GetOSInfo

func GetOSInfo(host *components.RemoteHost) (*OSInfo, error)

GetOSInfo returns OSInfo for the given VM

type SecurityIdentifier

type SecurityIdentifier interface {
	GetName() string
	GetSID() string
}

SecurityIdentifier is an interface for objects that have a name and SID

type ServiceConfig

type ServiceConfig struct {
	ServiceName        string
	DisplayName        string
	ImagePath          string
	StartType          int
	ServiceType        int
	Status             int
	UserName           string
	UserSID            string
	ServicesDependedOn []string `json:"-"`
}

ServiceConfig contains information about a Windows service

func (*ServiceConfig) FetchUserSID

func (s *ServiceConfig) FetchUserSID(host *components.RemoteHost) error

FetchUserSID fetches the SID for the service user

func (*ServiceConfig) UnmarshalJSON

func (s *ServiceConfig) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the yaml.Unmarshaler interface

type ServiceConfigMap

type ServiceConfigMap map[string]*ServiceConfig

ServiceConfigMap maps a service name to a ServiceConfig

func GetEmptyServiceConfigMap

func GetEmptyServiceConfigMap(services []string) ServiceConfigMap

GetEmptyServiceConfigMap returns a ServiceConfigMap with only the ServiceName set

func GetServiceConfigMap

func GetServiceConfigMap(host *components.RemoteHost, services []string) (ServiceConfigMap, error)

GetServiceConfigMap returns a map of service names to service configuration

Directories

Path Synopsis
Package agent includes helpers related to the Datadog Agent on Windows
Package agent includes helpers related to the Datadog Agent on Windows
installers/v2
Package installers processes the installers_v2.json file
Package installers processes the installers_v2.json file
Package powershell provides
Package powershell provides

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL