Merge branch 'main' into release/10.2.x

Author: fabienfl-orc

CHANGELOG.md

@@ -1,5 +1,22 @@
 # ChangeLog
 
+## [10.2.4] - 2024-02-02
+### Added
+- Outline: add install_date, install_time and shutdown_time filled from registry
+- Outline: add computer_name to match outcome's
+
+### Changed
+- Ntfs: improve behavior for compressed buffers when shadow copy block is lost
+- GetThis: go to next file in case of errors like unrecoverable deleted file
+- Yara: update to v4.4.0
+- Yara: replace Windows library with LibreSSL to benefit some features
+
+### Fixed
+- ToolEmbed: remove unwanted warning message for run32 and run64 attributes
+- Fix breaking stdout redirection on unicode character
+- Yara: use yara.exe's workaround for block api (files are now entirely mapped)
+
+
 ## [10.2.3] - 2023-11-15
 ### Added
 - Ntfs: Windows overlay file compression support with resident files

cmake/FindYara.cmake

@@ -32,8 +32,11 @@ find_library(YARA_LIB_RELEASE
 
 add_library(yara::yara INTERFACE IMPORTED)
 
+find_package(OpenSSL REQUIRED)
+
 # Add 'OpenSSL::Crypto' if yara is built with openssl or libressl
 target_link_libraries(yara::yara
     INTERFACE
         debug ${YARA_LIB_DEBUG} optimized ${YARA_LIB_RELEASE}
+        OpenSSL::Crypto
 )

cmake/Orc.cmake

@@ -18,6 +18,7 @@ add_compile_definitions(
     NOMINMAX
     BOOST_NO_SWPRINTF
     _SILENCE_ALL_CXX17_DEPRECATION_WARNINGS
+    _SILENCE_ALL_MS_EXT_DEPRECATION_WARNINGS
     _7ZIP_ST
 )
 

external/vcpkg

@@ -17,6 +17,8 @@
 #include "ToolVersion.h"
 
 #include "Text/Fmt/Boolean.h"
+#include "Text/Fmt/ByteQuantity.h"
+#include "Text/Fmt/Limit.h"
 #include "Text/Print.h"
 #include "Text/Print/LocationSet.h"
 #include "Text/Print/OutputSpec.h"

src/OrcCommand/Command/GetThis/GetThis_Output.cpp

@@ -44,6 +44,7 @@
 #include "Archive/Appender.h"
 #include "Archive/7z/Archive7z.h"
 #include "Text/Fmt/Result.h"
+#include "Text/Fmt/Limit.h"
 
 namespace fs = std::filesystem;
 

src/OrcCommand/Command/GetThis/GetThis_Run.cpp

@@ -593,6 +593,12 @@ HRESULT Orc::Command::Wolf::Main::CreateAndUploadOutline()
             SystemDetails::GetTimeStamp(strTimeStamp);
             writer->WriteNamed(L"timestamp", strTimeStamp);
 
+            {
+                std::wstring computerName;
+                SystemDetails::GetFullComputerName(computerName);
+                writer->WriteNamed(L"computer_name", computerName);
+            }
+
             auto mothership_id = SystemDetails::GetParentProcessId();
             if (mothership_id)
             {

src/OrcCommand/Command/WolfLauncher/WolfLauncher_Run.cpp

@@ -156,7 +156,7 @@ HRESULT WolfTask::ApplyNotification(
                             {
                                 if (dwHangTime - m_dwLastReportedHang >= 30)
                                 {
-                                    Log::Error(
+                                    Log::Debug(
                                         L"{} (pid: {}): Hanged for {} secs",
                                         m_command,
                                         m_dwPID == 0 ? notification->GetProcessID() : m_dwPID,

src/OrcCommand/Command/WolfLauncher/WolfTask.cpp

@@ -196,7 +196,7 @@ std::optional<Log::Level> ParseLogLevel(const ConfigItem& item)
     const auto level = Log::ToLevel(item[CONFIGITEM_LOG_COMMON_LEVEL]);
     if (!level)
     {
-        Log::Error(L"Failed to parse log level: {} [{}]", item[CONFIGITEM_LOG_COMMON_LEVEL], level.error());
+        Log::Error(L"Failed to parse log level: {} [{}]", item[CONFIGITEM_LOG_COMMON_LEVEL].c_str(), level.error());
         return {};
     }
 
@@ -214,7 +214,7 @@ std::optional<Log::Level> ParseBacktraceLevel(const ConfigItem& item)
     if (!level)
     {
         Log::Error(
-            L"Failed to parse backtrace trigger level: {} [{}]", item[CONFIGITEM_LOG_COMMON_BACKTRACE], level.error());
+            L"Failed to parse backtrace trigger level: {} [{}]", item[CONFIGITEM_LOG_COMMON_BACKTRACE].c_str(), level.error());
         return {};
     }
 

src/OrcCommand/Log/UtilitiesLoggerConfiguration.cpp

@@ -797,6 +797,14 @@ class UtilitiesMain
     virtual HRESULT GetConfigurationFromArgcArgv(int argc, const WCHAR* argv[]) = 0;
     virtual HRESULT CheckConfiguration() = 0;
 
+    //
+    // Tool Description
+    //
+    static LPCWSTR ToolName() { return kOrcMetaNameW; }
+    static LPCWSTR ToolDescription() { return L"DFIR-ORC Windows artefact collection tool"; }
+    static LPCWSTR ToolVersion() { return kOrcVersionStringW; }
+
+
     //
     // Output handling
     //
@@ -850,7 +858,7 @@ class UtilitiesMain
         // TODO: FIXME
 
         Cmd.LoadCommonExtensions();
-        Cmd.PrintHeader(UtilityT::ToolName(), UtilityT::ToolDescription(), kOrcFileVerStringW);
+        Cmd.PrintHeader(UtilityT::ToolName(), UtilityT::ToolDescription(), UtilityT::ToolVersion());
 
         try
         {

src/OrcCommand/UtilitiesMain.h

@@ -207,7 +207,7 @@ void Archive7z::Compress(
         }
 
         CComQIPtr<IInArchive, &IID_IInArchive> archiverIn(archiver);
-        CComPtr<InStreamAdapter> inStream = new InStreamAdapter(inputArchive);
+        CComPtr<InStreamAdapter> inStream = new InStreamAdapter(inputArchive, true);
         CComPtr<ArchiveOpenCallback> archiveOpenCallback(new ArchiveOpenCallback());
         hr = archiverIn->Open(inStream, nullptr, archiveOpenCallback);
         if (FAILED(hr))

src/OrcLib/Archive/7z/Archive7z.cpp

@@ -227,7 +227,7 @@ STDMETHODIMP ArchiveUpdateCallback::GetStream(UInt32 index, ISequentialInStream*
         return S_OK;
     }
 
-    CComQIPtr<ISequentialInStream, &IID_ISequentialInStream> stream(new InStreamAdapter(item));
+    CComQIPtr<ISequentialInStream, &IID_ISequentialInStream> stream(new InStreamAdapter(item, true));
     *pInStream = stream.Detach();
 
     return S_OK;

src/OrcLib/Archive/7z/ArchiveUpdateCallback.cpp

@@ -30,7 +30,20 @@ STDMETHODIMP InStreamAdapter::Read(void* data, UInt32 size, UInt32* processedSiz
     }
 
     // Transform S_FALSE to S_OK
-    return SUCCEEDED(hr) ? S_OK : hr;
+    if (SUCCEEDED(hr))
+    {
+        return S_OK;
+    }
+
+    // Shadow copy volume Read can silently fail with some blocks and it will produce an error with ntfs compressed
+    // files. That error should be ignored so the archive is not aborted.
+    if (m_readErrorIsNotFailure)
+    {
+        Log::Error("Failed to read a stream to compress (archived item size: {}) [{}]", read, SystemError(hr));
+        return S_OK;
+    }
+
+    return hr;
 }
 
 STDMETHODIMP InStreamAdapter::Seek(Int64 offset, UInt32 seekOrigin, UInt64* newPosition)

src/OrcLib/Archive/7z/InStreamAdapter.cpp

@@ -25,8 +25,9 @@ class InStreamAdapter
     , public CMyUnknownImp
 {
 public:
-    InStreamAdapter(std::shared_ptr<ByteStream> outByteStream)
+    InStreamAdapter(std::shared_ptr<ByteStream> outByteStream, bool readErrorIsNotFailure)
         : m_stream(std::move(outByteStream))
+        , m_readErrorIsNotFailure(readErrorIsNotFailure)
     {
     }
 
@@ -43,6 +44,7 @@ class InStreamAdapter
 
 private:
     std::shared_ptr<ByteStream> m_stream;
+    bool m_readErrorIsNotFailure;
 };
 
 }  // namespace Archive

src/OrcLib/Archive/7z/InStreamAdapter.h

@@ -811,7 +811,22 @@ class Buffer
             return 0;
 
         ULONG len = 0;
-        auto pCur = get();
+        auto pCur = get_as<CHAR>();
+        while (len < size() && *pCur != 0)
+        {
+            pCur++;
+            len++;
+        }
+        return len;
+    }
+
+    ULONG WStrNLen() const
+    {
+        if (empty())
+            return 0;
+
+        ULONG len = 0;
+        auto pCur = get_as<WCHAR>();
         while (len < size() && *pCur != 0)
         {
             pCur++;
@@ -902,7 +917,7 @@ class Buffer
             if (_size == 0)
                 return std::wstring();
 
-            auto stringLength = StrNLen();
+            auto stringLength = WStrNLen();
 
             if (stringLength == 0)
                 return std::wstring();

src/OrcLib/Buffer.h

@@ -376,7 +376,7 @@ HRESULT ConfigFile::PrintConfig(const ConfigItem& config, DWORD dwIndent)
                 (config.Flags & ConfigItem::MANDATORY) ? L"Mandatory" : L"Optional",
                 config ? L"Present" : L"Absent");
             if (!config.empty())
-                Log::Info(L"{}\tDATA: \"{}\" ", szIndent, config);
+                Log::Info(L"{}\tDATA: \"{}\" ", szIndent, config.c_str());
 
             std::for_each(begin(config.SubItems), end(config.SubItems), [dwIndent](const ConfigItem& item) {
                 PrintConfig(item, dwIndent + 1);
@@ -388,7 +388,7 @@ HRESULT ConfigFile::PrintConfig(const ConfigItem& config, DWORD dwIndent)
                 L"{}ATTRIBUTE: \"{}={}\" {} {}",
                 szIndent,
                 config.strName,
-                config,
+                config.c_str(),
                 (config.Flags & ConfigItem::MANDATORY) ? L"Mandatory" : L"Optional",
                 config ? L"Present" : L"Absent");
             break;
@@ -456,7 +456,7 @@ HRESULT ConfigFile::GetOutputDir(const ConfigItem& item, std::wstring& outputDir
     {
         if (FAILED(hr = ::GetOutputDir(item.c_str(), outputDir)))
         {
-            Log::Error(L"Error in specified outputdir '{}' in config file [{}]", item, SystemError(hr));
+            Log::Error(L"Error in specified outputdir '{}' in config file [{}]", item.c_str(), SystemError(hr));
             return hr;
         }
 
@@ -477,7 +477,7 @@ HRESULT ConfigFile::GetOutputDir(const ConfigItem& item, std::wstring& outputDir
                 {
                     Log::Error(
                         L"Invalid encoding for outputdir in config file: '{}' [{}]",
-                        item.SubItems[CONFIG_CSVENCODING],
+                        item.SubItems[CONFIG_CSVENCODING].c_str(),
                         SystemError(hr));
                     return hr;
                 }
@@ -578,7 +578,7 @@ HRESULT ConfigFile::GetInputFile(const ConfigItem& item, std::wstring& inputFile
     {
         if (FAILED(hr = ::ExpandFilePath(item.c_str(), inputFile)))
         {
-            Log::Error(L"Error in specified inputfile in config file '{}' [{}]", item, SystemError(hr));
+            Log::Error(L"Error in specified inputfile in config file '{}' [{}]", item.c_str(), SystemError(hr));
             return hr;
         }
     }

src/OrcLib/Configuration/ConfigFile.cpp

@@ -261,11 +261,11 @@ class ResourceRegistry
     std::vector<ResourceRegistryItem> m_items;
 };
 
-// Look into the current xml element for an attribute's name which match the provided regex
-Result<std::optional<XmlString>>
+// Look into the current xml element for an attributes name which match the provided regex
+Result<std::vector<XmlString>>
 GetXmlAttributeValueMatch(const CComPtr<IXmlReader>& reader, std::wstring_view attributeValueRegex)
 {
-    std::vector<std::wstring> values;
+    std::vector<XmlString> values;
 
     UINT uiAttrCount = 0;
     HRESULT hr = reader->GetAttributeCount(&uiAttrCount);
@@ -277,7 +277,7 @@ GetXmlAttributeValueMatch(const CComPtr<IXmlReader>& reader, std::wstring_view a
 
     if (uiAttrCount == 0L)
     {
-        return std::optional<XmlString> {};
+        return std::vector<XmlString>();
     }
 
     hr = reader->MoveToFirstAttribute();
@@ -316,30 +316,28 @@ GetXmlAttributeValueMatch(const CComPtr<IXmlReader>& reader, std::wstring_view a
         }
 
         std::wregex regex(attributeValueRegex.data(), std::regex_constants::icase);
-        if (!std::regex_search(pValue, regex))
+        if (std::regex_search(pValue, regex))
         {
-            hr = reader->MoveToNextAttribute();
+            UINT lineNumber = 0;
+            hr = reader->GetLineNumber(&lineNumber);
             if (FAILED(hr))
             {
                 XmlLiteExtension::LogError(hr, reader);
-                return SystemError(hr);
+                // return;
             }
 
-            continue;
+            values.emplace_back(XmlString {{}, lineNumber, pValue});
         }
 
-        UINT lineNumber = 0;
-        hr = reader->GetLineNumber(&lineNumber);
+        hr = reader->MoveToNextAttribute();
         if (FAILED(hr))
         {
             XmlLiteExtension::LogError(hr, reader);
-            // return;
+            return SystemError(hr);
         }
-
-        return XmlString {{}, lineNumber, pValue};
     }
 
-    return std::optional<XmlString> {};
+    return values;
 }
 
 // Look into the current xml file for all attributes name which match the provided regex
@@ -380,9 +378,10 @@ GetXmlAttributesValueMatch(const std::shared_ptr<ByteStream>& xmlStream, std::ws
             continue;
         }
 
-        if ((*result).has_value())
+        if (!result->empty())
         {
-            values.emplace_back(std::move(**result));
+            std::move(std::begin(*result), std::end(*result), std::back_inserter(values));
+            result->clear();
         }
     }