sysql

package module
v1.3.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 17, 2024 License: MIT Imports: 7 Imported by: 0

README

sysql

SQL driven operating system queries can query all content on the operating system.

Code Example

package main

import (
	"database/sql"
	"fmt"
	"github.com/dean2021/sysql"
)

func main() {

	sysql.Initialize()

	db, err := sql.Open(sysql.DriverName, ":memory:")
	if err != nil {
		panic(err)
	}

	rows, err := db.Query("select pid,name,cmdline from processes")
	if err != nil {
		panic(err)
	}

	var pid string
	var name string
	var cmdline string
	for rows.Next() {
		rows.Scan(&pid, &name, &cmdline)
		fmt.Println(pid, name, cmdline)
	}
	rows.Close()
}

Build

  • darwin

go build -tags=sqlite_vtable

  • linux

CGO_ENABLED=1 GOOS=linux CC="x86_64-linux-musl-gcc" GOARCH=amd64 go build -tags=sqlite_vtable -ldflags "-s -w --extldflags "-static""

  • windows

CGO_ENABLED=1 GOOS=windows CC="x86_64-w64-mingw32-gcc" GOARCH=amd64 go build -tags=sqlite_vtable

Playground

-- Query all supported tables

select table_name from schema group by table_name
-- Query what fields a certain table has

PRAGMA table_info('time');
-- Query what built-in functions there are

SELECT * FROM functions;
-- Check if a certain process is running with root privileges, which poses a security risk

SELECT * FROM processes WHERE name LIKE '%mysql%' AND uid = 0;
SELECT * FROM processes WHERE name = 'java' AND uid = 0;
-- Find processes that delete themselves

SELECT * FROM processes WHERE on_disk = 0;
-- Determine if there are malicious commands in bash history

SELECT * FROM shell_history WHERE command LIKE '%nmap%';
-- View processes launched through a pseudo-terminal

SELECT pid, username, name, terminal FROM processes WHERE terminal != '';
-- Detect reverse shells

SELECT p.* FROM processes AS p LEFT OUTER JOIN netstat_diag AS n ON p.pid = n.pid WHERE p.name IN ('sh', 'bash', 'nc') AND n.status = 'ESTABLISHED';
-- Determine if a certain file exists
SELECT file_exists('/etc/passwd');
-- Ping any host
SELECT * FROM ping WHERE addr='www.google.com'
-- Returns the Listening port List - ATT&CK T1043,T1090,T1094,T1205,T1219,T1105,T1065,T1102
select p.name, p.path, lp.local_port, lp.local_address, lp.protocol  from netstat lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.local_port != 0 AND p.name != '';

More: https://github.com/teoseller/osquery-attck

Tables

Windows tables
TABLE NAME
cpu_info
curl
etc_hosts
functions
hash
interfaces
last
list
memory_info
netstat
os_version
patches
ping
processes
schema
services
time
users
windows_product
windows_update
Linux tables
TABLE NAME
cpu_info
crontab
curl
deb_packages
etc_hosts
file
functions
hash
interfaces
last
list
load_average
memory_info
netstat
netstat_diag
os_version
ping
processes
rpm_packages
schema
shell_history
time
users

TODO

  1. Add NPM table
  2. Add Pip table
  3. Add Jar table
  4. Add more function to sysql

Thanks

Thanks for Facebook's osquery idea

Documentation

Index

Constants

View Source
const DriverName = "SQLITE3_SYSQL_EXTENSIONS"

Variables

This section is empty.

Functions

func Initialize

func Initialize()

Types

type Cursor

type Cursor struct {
	TablePlugin table.Table
	Constraints table.Constraints
	// contains filtered or unexported fields
}

func (*Cursor) Close

func (vc *Cursor) Close() error

func (*Cursor) Column

func (vc *Cursor) Column(c *sqlite3.SQLiteContext, col int) error

func (*Cursor) EOF

func (vc *Cursor) EOF() bool

func (*Cursor) Filter

func (vc *Cursor) Filter(idxNum int, idxStr string, vals []interface{}) error

func (*Cursor) Next

func (vc *Cursor) Next() error

func (*Cursor) Rowid

func (vc *Cursor) Rowid() (int64, error)

type Module

type Module struct {
	VirtualTable *VirtualTable
	TablePlugin  table.Table
}

func (*Module) Connect

func (m *Module) Connect(c *sqlite3.SQLiteConn, args []string) (sqlite3.VTab, error)

func (*Module) Create

func (m *Module) Create(c *sqlite3.SQLiteConn, args []string) (sqlite3.VTab, error)

func (*Module) DestroyModule

func (m *Module) DestroyModule()

type VirtualTable

type VirtualTable struct {
	TablePlugin table.Table
	Cursor      sqlite3.VTabCursor
}

func (*VirtualTable) BestIndex

func (v *VirtualTable) BestIndex(nConstraint []sqlite3.InfoConstraint, obl []sqlite3.InfoOrderBy) (*sqlite3.IndexResult, error)

func (*VirtualTable) Destroy

func (v *VirtualTable) Destroy() error

func (*VirtualTable) Disconnect

func (v *VirtualTable) Disconnect() error

func (*VirtualTable) Open

func (v *VirtualTable) Open() (sqlite3.VTabCursor, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL