Clean up VQL reference

Velocidex · Sep 14, 2024 · 9562000 · 9562000
1 parent 8346ac1
commit 9562000
Show file tree

Hide file tree

Showing 21 changed files with 99 additions and 325 deletions.
diff --git a/accessors/data/scope.go b/accessors/data/scope.go
@@ -112,5 +112,5 @@ func (self ScopeFilesystemAccessor) Open(path string) (
 
 func init() {
 	accessors.Register("scope", &ScopeFilesystemAccessor{},
-		`Similar to the "data" accessor, this makes a string appears as a file. However, instead of the Filename containing the file content itself, the Filename refers to the name of a variable in the current scope that contains the data. This is useful when the binary data is not unicode safe and can not be properly represented by JSON.`)
+		`Present the content of a scope variable as a file.`)
 }
diff --git a/accessors/ewf/ewf.go b/accessors/ewf/ewf.go
@@ -93,32 +93,5 @@ func GetEWFImage(full_path *accessors.OSPath, scope vfilter.Scope) (
 func init() {
 	accessors.Register("ewf", zip.NewGzipFileSystemAccessor(
 		accessors.MustNewLinuxOSPath(""), GetEWFImage),
-		`Allow reading an ewf file.
-
-Note that usually EWF files form a set of files with extensions
-like .E01, .E02 etc. This accessor will automatically try to find
-all parts of the same volume set if the file name ends with a '.E01'.
-
-For Example
-
-SELECT * FROM glob(
-  globs="*", accessor="raw_ntfs", root=pathspec(
-    Path="/",
-    DelegateAccessor="ewf",
-    DelegatePath="C:/test.ntfs.dd.E01"))
-
-The next example reads a FAT partition through the offset
-accessor (32256 is the byte offset of the first FAT partition).
-
-    SELECT OSPath.Path AS OSPath, Size, Mode.String
-    FROM glob(
-       globs="*", accessor="fat", root=pathspec(
-          Path="/",
-          DelegateAccessor="offset",
-          DelegatePath=pathspec(
-            Path="/32256",
-            DelegateAccessor="ewf",
-            DelegatePath="/tmp/ubnist1.gen3.E01")))
-
-`)
+		`Allow reading an EWF file.`)
 }
diff --git a/accessors/ext4/ext4_accessor.go b/accessors/ext4/ext4_accessor.go
@@ -302,26 +302,7 @@ func (self *Ext4FileSystemAccessor) LstatWithOSPath(
 
 func init() {
 	accessors.Register("raw_ext4", &Ext4FileSystemAccessor{},
-		`Access the Ext4 filesystem inside an image by parsing the image.
-
-This accessor is designed to operate on images directly. It requires a
-delegate accessor to get the raw image and will open files using the
-FAT full path rooted at the top of the filesystem.
-
-## Example
-
-The following query will glob all the files under the directory 'a'
-inside a Ext4 image file
-
-SELECT *
-FROM glob(globs='/**',
-  accessor="raw_ext4",
-  root=pathspec(
-    Path="a",
-    DelegateAccessor="file",
-    DelegatePath='ext4.dd'))
-
-`)
+		`Access the Ext4 filesystem inside an image by parsing the image.`)
 
 	json.RegisterCustomEncoder(&Ext4FileInfo{}, accessors.MarshalGlobFileInfo)
 }
diff --git a/accessors/ext4/ext4_accessor_linux.go b/accessors/ext4/ext4_accessor_linux.go
@@ -93,21 +93,5 @@ func (self LinuxExt4FileSystemAccessor) New(scope vfilter.Scope) (
 
 func init() {
 	accessors.Register("ext4", &LinuxExt4FileSystemAccessor{},
-		`Access files by parsing the raw ext4 filesystems.
-
-This accessor is designed to operate on a live system. It
-automatically enumerates the mount points and attaches a raw ext4
-mount to each mounted device.
-
-Users can use the same path as is presented on the real system, but
-the raw ext4 partitions will be parsed instead.
-
-This accessor is only available under linux.
-
-## Example
-
-SELECT *
-FROM glob(globs='/boot/*', accessor="ext4")
-
-`)
+		`Access files by parsing the raw ext4 filesystems.`)
 }
diff --git a/accessors/fat/fat_accessor.go b/accessors/fat/fat_accessor.go
@@ -330,26 +330,7 @@ func (self *FATFileSystemAccessor) LstatWithOSPath(
 
 func init() {
 	accessors.Register("fat", &FATFileSystemAccessor{},
-		`Access the FAT filesystem inside an image by parsing FAT.
-
-This accessor is designed to operate on images directly. It requires a
-delegate accessor to get the raw image and will open files using the
-FAT full path rooted at the top of the filesystem.
-
-## Example
-
-The following query will glob all the files under the directory 'a'
-inside a FAT image file
-
-SELECT *
-FROM glob(globs='/**',
-  accessor="fat",
-  root=pathspec(
-    Path="a",
-    DelegateAccessor="file",
-    DelegatePath='fat.dd'))
-
-`)
+		`Access the FAT filesystem inside an image by parsing FAT.`)
 
 	json.RegisterCustomEncoder(&FATFileInfo{}, accessors.MarshalGlobFileInfo)
 }
diff --git a/accessors/mscfb/mscfb_accessor.go b/accessors/mscfb/mscfb_accessor.go
@@ -250,8 +250,7 @@ func (self *MscfbFileSystemAccessor) LstatWithOSPath(
 
 func init() {
 	accessors.Register("mscfb", &MscfbFileSystemAccessor{},
-		`Parse a MSCFB file as an archive.
-`)
+		`Parse a MSCFB file as an archive.`)
 
 	json.RegisterCustomEncoder(&MscfbFileInfo{}, accessors.MarshalGlobFileInfo)
 }
diff --git a/accessors/ntfs/mft.go b/accessors/ntfs/mft.go
@@ -210,15 +210,5 @@ func (self *MFTFileSystemAccessor) LstatWithOSPath(full_path *accessors.OSPath)
 
 func init() {
 	accessors.Register("mft", &MFTFileSystemAccessor{},
-		`Access arbitrary MFT streams as files.
-
-The filename is taken as an MFT inode number in the
-form <entry_id>-<stream_type>-<id>, e.g. 203-128-0
-
-An example of using this artifact:
-
-SELECT upload(accessor="mft", filename="C:/203-128-0")
-FROM scope()
-
-`)
+		`Access arbitrary MFT streams as files.`)
 }
diff --git a/accessors/ntfs/ntfs_accessor.go b/accessors/ntfs/ntfs_accessor.go
@@ -577,25 +577,7 @@ func Open(scope vfilter.Scope, self *ntfs.MFT_ENTRY,
 
 func init() {
 	accessors.Register("raw_ntfs", &NTFSFileSystemAccessor{},
-		`Access the NTFS filesystem inside an image by parsing NTFS.
-
-This accessor is designed to operate on images directly. It requires a
-delegate accessor to get the raw image and will open files using the
-NTFS full path rooted at the top of the filesystem.
-
-## Example
-
-The following query will open the $MFT file from the raw image file
-that will be accessed using the file accessor.
-
-SELECT * FROM parse_mft(
-  filename=pathspec(
-    Path="$MFT",
-    DelegateAccessor="file",
-    DelegatePath='ntfs.dd'),
-  accessor="raw_ntfs")
-
-`)
+		`Access the NTFS filesystem inside an image by parsing NTFS.`)
 
 	json.RegisterCustomEncoder(&NTFSFileInfo{}, accessors.MarshalGlobFileInfo)
 }
diff --git a/accessors/offset/offset.go b/accessors/offset/offset.go
@@ -139,13 +139,5 @@ func GetOffsetFile(full_path *accessors.OSPath, scope vfilter.Scope) (
 func init() {
 	accessors.Register("offset", zip.NewGzipFileSystemAccessor(
 		accessors.MustNewLinuxOSPath(""), GetOffsetFile),
-		`Allow reading another file from a specific offset.
-
-For Example
-
-FileName = pathspec(
-      DelegateAccessor="data",
-      DelegatePath=MyData,
-      Path="/5")
-`)
+		`Allow reading another file from a specific offset.`)
 }
diff --git a/accessors/pipe/pipe.go b/accessors/pipe/pipe.go
@@ -205,18 +205,6 @@ func (self PipeFilesystemAccessor) OpenWithOSPath(
 
 func init() {
 	accessors.Register("pipe", &PipeFilesystemAccessor{},
-		`Read from a VQL pipe.
-
-A VQL pipe allows data to be generated from a VQL query, as the pipe is read, the query proceeds to feed more data to it.
-
-Example:
-
-  LET MyPipe = pipe(query={
-        SELECT _value FROM range(start=0, end=10, step=1)
-  }, sep="\n")
-
-  SELECT read_file(filename="MyPipe", accessor="pipe")
-  FROM scope()
-`)
+		`Read from a VQL pipe.`)
 	vql_subsystem.RegisterFunction(&PipeFunction{})
 }
diff --git a/accessors/s3/s3.go b/accessors/s3/s3.go
@@ -258,28 +258,7 @@ func (self RawS3SystemAccessor) LstatWithOSPath(
 
 func init() {
 	accessors.Register("s3", &RawS3SystemAccessor{},
-		`Access S3 Buckets.
-
-This artifact allows access to S3 buckets:
-
-1. The first component is interpreted as the bucket name.
-
-2. Provide credentials through the VQL environment
-   variable S3_CREDENTIALS. This should be a dict with
-   a key of the bucket name and the value being the credentials.
-
-Example:
-
-LET S3_CREDENTIALS<=dict(endpoint='http://127.0.0.1:4566/',
-  credentials_key='admin',
-  credentials_secret='password',
-  no_verify_cert=1)
-
-SELECT *, read_file(filename=OSPath,
-   length=10, accessor='s3') AS Data
-FROM glob(globs='/velociraptor/orgs/root/clients/C.39a107c4c58c5efa/collections/*/uploads/auto/*', accessor='s3')
-
-`)
+		`Allows access to S3 buckets.`)
 }
 
 // Set the page size for tests. Normally we dont need to adjust this

diff --git a/accessors/smb/smb.go b/accessors/smb/smb.go
@@ -266,5 +266,5 @@ func init() {
 	}
 	accessors.Register("smb", &SMBFileSystemAccessor{
 		root: root_path,
-	}, `Access smb shares.`)
+	}, `Allows access SMB shares.`)
 }
diff --git a/accessors/sparse/sparse.go b/accessors/sparse/sparse.go
@@ -247,14 +247,5 @@ func GetSparseFile(full_path *accessors.OSPath, scope vfilter.Scope) (
 func init() {
 	accessors.Register("sparse", zip.NewGzipFileSystemAccessor(
 		accessors.MustNewPathspecOSPath(""), GetSparseFile),
-		`Allow reading another file by overlaying a sparse map on top of it.
-
-The map excludes reading from certain areas which are considered sparse.
-
-The resulting file is sparse (and therefore uploading it excludes the masked out regions). The filename is taken as a list of ranges. For example:
-
-FileName = pathspec(
-      DelegateAccessor="data", DelegatePath=MyData,
-      Path=[dict(Offset=0,Length=5), dict(Offset=10,Length=5)])
-`)
+		`Allows reading another file by overlaying a sparse map on top of it.`)
 }
diff --git a/accessors/ssh/ssh.go b/accessors/ssh/ssh.go
@@ -129,28 +129,6 @@ func (self SSHFileSystemAccessor) OpenWithOSPath(filename *accessors.OSPath) (
 }
 
 func init() {
-	accessors.Register("ssh", &SSHFileSystemAccessor{}, `
-Access a remote system's filesystem via SSH/SFTP.
-
-This accessor allows accessing remote systems via SFTP/SSH.
-This is useful for being able to search remote systems where it is not possible
-to run a Velociraptor client directly on the endpoint. For example, on embedded
-edge devices such as routers/firewalls/VPNs etc.
-
-To use this accessor you will need to provide credentials via the SSH_CONFIG
-scope variable:
-
-`+"```"+`vql
-LET SSH_CONFIG <= dict(hostname='localhost:22',
-    username='mic',
-    private_key=read_file(filename='/home/mic/.ssh/id_rsa'))
-`+"```"+`
-
-NOTES:
-
-1. hostname must have a port after the column.
-2. You can provide a password via the password parameter
-3. The private_key parameter must contain an unencrypted PEM encoded SSH private key pair.
-
-`)
+	accessors.Register("ssh", &SSHFileSystemAccessor{},
+	`Access a remote system's filesystem via SSH/SFTP.`)
 }
diff --git a/accessors/vhdx/vhdx.go b/accessors/vhdx/vhdx.go
@@ -98,24 +98,5 @@ func GetVHDXImage(full_path *accessors.OSPath, scope vfilter.Scope) (
 func init() {
 	accessors.Register("vhdx", zip.NewGzipFileSystemAccessor(
 		accessors.MustNewLinuxOSPath(""), GetVHDXImage),
-		`Allow reading a vhdx file.
-
-This accessor allows access to the content of VHDX files. Note that usually
-VHDX files are disk images with a partition table and an NTFS volume. You
-will usually need to wrap this accessor with a suitable Offset (to account
-for the parition) and parse it with the the "raw_ntfs" accessor.
-
-For Example
-
-    SELECT OSPath.Path AS OSPath, Size, Mode.String
-    FROM glob(
-       globs="*", accessor="raw_ntfs", root=pathspec(
-          Path="/",
-          DelegateAccessor="offset",
-          DelegatePath=pathspec(
-            Path="/65536",
-            DelegateAccessor="vhdx",
-            DelegatePath="/tmp/test.vhdx")))
-
-`)
+		`Allow reading a VHDX file.`)
 }
diff --git a/accessors/vmdk/vmdk.go b/accessors/vmdk/vmdk.go
@@ -98,28 +98,5 @@ func GetVMDKImage(full_path *accessors.OSPath, scope vfilter.Scope) (
 func init() {
 	accessors.Register("vmdk", zip.NewGzipFileSystemAccessor(
 		accessors.MustNewLinuxOSPath(""), GetVMDKImage),
-		`Allow reading a vmdk file.
-
-This accessor allows access to the content of VMDK files. Note that usually
-VMDK files are disk images with a partition table and an NTFS volume. You
-will usually need to wrap this accessor with a suitable Offset (to account
-for the parition) and parse it with the the "raw_ntfs" accessor.
-
-The VMDK file should be the metadata file (i.e. not the extent files).
-The extent files are expected to be in the same directory as the
-metadata file and this accessor will open them separately.
-
-For Example
-
-    SELECT OSPath.Path AS OSPath, Size, Mode.String
-    FROM glob(
-       globs="*", accessor="raw_ntfs", root=pathspec(
-          Path="/",
-          DelegateAccessor="offset",
-          DelegatePath=pathspec(
-            Path="/65536",
-            DelegateAccessor="vmdk",
-            DelegatePath="/tmp/test.vmdk")))
-
-`)
+		`Allow reading a VMDK file.`)
 }
diff --git a/accessors/zip/zip.go b/accessors/zip/zip.go
@@ -691,24 +691,10 @@ func init() {
 	accessors.Register("zip", &ZipFileSystemAccessor{
 		nocase: false,
 	},
-		`Open a zip file as if it was a directory.
-
-Filename is a pathspec with a delegate accessor opening the Zip file,
-and the Path representing the file within the zip file.
-
-Example:
-
-       select FullPath, Mtime, Size from glob(
-         globs='/**/*.txt',
-         root=pathspec(DelegateAccessor='file',
-              DelegatePath="File.zip",
-              Path='/'),
-         accessor='zip')
-
-`)
+		`Open a zip file as if it was a directory.`)
 	accessors.Register("zip_nocase", &ZipFileSystemAccessor{
 		nocase: true,
-	}, `Open a zip file as if it was a directory. Although zip files are case sensitive, this accessor behaves case insensitive`)
+	}, `Open a zip file as if it was a directory. Although zip files are case-sensitive, this accessor behaves case-insensitive`)
 
 	json.RegisterCustomEncoder(&ZipFileInfo{}, accessors.MarshalGlobFileInfo)
 

diff --git a/bin/vql.go b/bin/vql.go
@@ -189,7 +189,7 @@ func doVQLList() error {
 	if description != nil {
 		for _, k := range keys {
 			v, _ := description.Get(k)
-			fmt.Printf("%s: %s\n", k, v)
+			fmt.Printf("**%s**: %s\n\n", k, v)
 		}
 	}