Merge branch 'main' into release/10.2.x

CHANGELOG.md

@@ -1,5 +1,19 @@
 # ChangeLog
 
+## [10.2.1] - 2023-06-20
+### Changed
+- Configuration: accept wildcard as exclusion path
+- Output filename for shadow copies will be also based on volume identifier
+- Limits accept UINT_MAX instead of handling it as "no limits"
+
+### Fixed
+- Location is now overridable with cli like others options
+- GetThis: fix option 'ResurrectRecord' always set to 'no'
+- USNInfo: fix option 'ResurrectRecord' always set to 'yes'
+- USNInfo: fix location resolution on some situations with vss
+- Fix log file option
+
+
 ## [10.2.0] - 2023-04-20
 ### Added
 - Volume Shadow Copy: add fallback mode when 'vss' service is stopped using directly 'volsnap.sys'

src/OrcCommand/Command/FastFind/FastFind.h

@@ -260,6 +260,7 @@ class ORCUTILS_API Main : public UtilitiesMain
 
         std::wstring YaraSource;
         std::unique_ptr<YaraConfig> Yara;
+        std::vector<std::wstring> inputFilesystemLocations;
 
         Configuration()
             : FileSystem()

src/OrcCommand/Command/FatInfo/FatInfo.h

@@ -59,6 +59,7 @@ class ORCUTILS_API Main : public UtilitiesMain
         Intentions ColumnIntentions;
         Intentions DefaultIntentions;
         std::vector<Filter> Filters;
+        std::vector<std::wstring> InputLocations;
     };
 
     static LPCWSTR ToolName() { return L"FatInfo"; }

src/OrcCommand/Command/FatInfo/FatInfo_Config.cpp

@@ -116,10 +116,15 @@ HRESULT Main::GetConfigurationFromConfig(const ConfigItem& configitem)
         m_Config.bPopSystemObjects = false;
     m_Config.locs.SetPopulateSystemObjects((bool)m_Config.bPopSystemObjects);
 
-    if (FAILED(hr = m_Config.locs.AddLocationsFromConfigItem(configitem[FATINFO_LOCATIONS])))
+    if (configitem[FATINFO_LOCATIONS])
     {
-        Log::Error("Failed to get locations definition from config [{}]", SystemError(hr));
-        return hr;
+        if (FAILED(hr = m_Config.locs.AddLocationsFromConfigItem(configitem[FATINFO_LOCATIONS])))
+        {
+            Log::Error("Failed to get locations definition from config [{}]", SystemError(hr));
+            return hr;
+        }
+
+        LocationSet::ParseLocationsFromConfigItem(configitem[FATINFO_LOCATIONS], m_Config.InputLocations);
     }
 
     if (configitem[FATINFO_LOGGING])
@@ -235,6 +240,8 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
         m_Config.bPopSystemObjects = false;
     m_Config.locs.SetPopulateSystemObjects((bool)m_Config.bPopSystemObjects);
 
+    LocationSet::ParseLocationsFromArgcArgv(argc, argv, m_Config.InputLocations);
+
     if (FAILED(hr = m_Config.locs.AddLocationsFromArgcArgv(argc, argv)))
         return hr;
 
@@ -261,6 +268,11 @@ HRESULT Main::CheckConfiguration()
         SystemDetails::SetOrcComputerName(m_utilitiesConfig.strComputerName);
     }
 
+    if (m_Config.InputLocations.empty())
+    {
+        Log::Critical("Missing location parameter");
+    }
+
     m_Config.locs.Consolidate(false, FSVBR::FSType::FAT);
 
     if (m_Config.output.Type == OutputSpec::Kind::None)

src/OrcCommand/Command/GetSamples/GetSamples_Config.cpp

@@ -304,7 +304,7 @@ HRESULT Main::CheckConfiguration()
 
     // TODO: make a function to use also in GetThis_config.cpp
     if (!config.limits.bIgnoreLimits
-        && (config.limits.dwlMaxTotalBytes == INFINITE && config.limits.dwMaxSampleCount == INFINITE))
+        && (!config.limits.dwlMaxTotalBytes.has_value() && !config.limits.dwMaxSampleCount.has_value()))
     {
         Log::Critical(
             "No global (at samples level, MaxTotalBytes or MaxSampleCount) has been set: set limits in configuration "

src/OrcCommand/Command/GetSamples/GetSamples_Run.cpp

@@ -283,24 +283,24 @@ HRESULT Main::WriteGetThisConfig(
 
     getthisconfig[GETTHIS_SAMPLES].Status = ConfigItem::PRESENT;
 
-    if (config.limits.dwlMaxTotalBytes != INFINITE)
+    if (config.limits.dwlMaxTotalBytes.has_value())
     {
         getthisconfig[GETTHIS_SAMPLES].SubItems[CONFIG_MAXTOTALBYTES].strData =
-            std::to_wstring(config.limits.dwlMaxTotalBytes);
+            std::to_wstring(config.limits.dwlMaxTotalBytes.value());
         getthisconfig[GETTHIS_SAMPLES].SubItems[CONFIG_MAXTOTALBYTES].Status = ConfigItem::PRESENT;
     }
 
-    if (config.limits.dwlMaxBytesPerSample != INFINITE)
+    if (config.limits.dwlMaxBytesPerSample.has_value())
     {
         getthisconfig[GETTHIS_SAMPLES].SubItems[CONFIG_MAXBYTESPERSAMPLE].strData =
-            std::to_wstring(config.limits.dwlMaxBytesPerSample);
+            std::to_wstring(config.limits.dwlMaxBytesPerSample.value());
         getthisconfig[GETTHIS_SAMPLES].SubItems[CONFIG_MAXBYTESPERSAMPLE].Status = ConfigItem::PRESENT;
     }
 
-    if (config.limits.dwMaxSampleCount != INFINITE)
+    if (config.limits.dwMaxSampleCount.has_value())
     {
         getthisconfig[GETTHIS_SAMPLES].SubItems[CONFIG_MAXSAMPLECOUNT].strData =
-            std::to_wstring(config.limits.dwMaxSampleCount);
+            std::to_wstring(config.limits.dwMaxSampleCount.value());
         getthisconfig[GETTHIS_SAMPLES].SubItems[CONFIG_MAXSAMPLECOUNT].Status = ConfigItem::PRESENT;
     }
 

src/OrcCommand/Command/GetThis/GetThis.h

@@ -153,6 +153,8 @@ class ORCUTILS_API Main : public UtilitiesMain
 
         ContentSpec GetContentSpecFromString(const std::wstring& str);
 
+        std::vector<std::wstring> inputLocations;
+
     private:
         static std::wregex g_ContentRegEx;
     };

src/OrcCommand/Command/GetThis/GetThis_Config.cpp

@@ -168,16 +168,26 @@ HRESULT Main::GetConfigurationFromConfig(const ConfigItem& configitem)
         config.bAddShadows = bAddShadows;
     }
 
-    if (FAILED(hr = config.Locations.AddLocationsFromConfigItem(configitem[GETTHIS_LOCATION])))
+    if (configitem[GETTHIS_LOCATION])
     {
-        Log::Error(L"Syntax error in specific locations parsing in config file");
-        return hr;
+        if (FAILED(hr = config.Locations.AddLocationsFromConfigItem(configitem[GETTHIS_LOCATION])))
+        {
+            Log::Error(L"Syntax error in specific locations parsing in config file");
+            return hr;
+        }
+
+        LocationSet::ParseLocationsFromConfigItem(configitem[GETTHIS_LOCATION], config.inputLocations);
     }
 
-    if (FAILED(hr = config.Locations.AddKnownLocations(configitem[GETTHIS_KNOWNLOCATIONS])))
+    if (configitem[GETTHIS_KNOWNLOCATIONS])
     {
-        Log::Error(L"Syntax error in known locations parsing in config file");
-        return hr;
+        if (FAILED(hr = config.Locations.AddKnownLocations(configitem[GETTHIS_KNOWNLOCATIONS])))
+        {
+            Log::Error(L"Syntax error in known locations parsing in config file");
+            return hr;
+        }
+
+        LocationSet::ParseLocationsFromConfigItem(configitem[GETTHIS_KNOWNLOCATIONS], config.inputLocations);
     }
 
     if (configitem[GETTHIS_SAMPLES][CONFIG_MAXBYTESPERSAMPLE])
@@ -477,6 +487,8 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
             }
         }
 
+        LocationSet::ParseLocationsFromArgcArgv(argc, argv, config.inputLocations);
+
         if (FAILED(hr = config.Locations.AddLocationsFromArgcArgv(argc, argv)))
         {
             Log::Error("Error in specific locations parsing");
@@ -506,6 +518,11 @@ HRESULT Main::CheckConfiguration()
         config.bAddShadows = false;
     }
 
+    if (config.inputLocations.empty())
+    {
+        Log::Critical("Missing location parameter");
+    }
+
     config.Locations.Consolidate(
         (bool)config.bAddShadows,
         config.m_shadows.value_or(LocationSet::ShadowFilters()),
@@ -562,7 +579,7 @@ HRESULT Main::CheckConfiguration()
 
     // TODO: make a function to use also in GetSamples_config.cpp
     if (!config.limits.bIgnoreLimits
-        && (config.limits.dwlMaxTotalBytes == INFINITE && config.limits.dwMaxSampleCount == INFINITE))
+        && (!config.limits.dwlMaxTotalBytes.has_value() && !config.limits.dwMaxSampleCount.has_value()))
     {
         Log::Critical(
             L"No global (at samples level, MaxTotalBytes or MaxSampleCount) has been set: set limits in configuration "

src/OrcCommand/Command/GetThis/GetThis_Run.cpp

@@ -593,49 +593,49 @@ LimitStatus SampleLimitStatus(const Limits& globalLimits, const Limits& localLim
         return LimitStatus::NoLimits;
     }
 
-    if (globalLimits.dwMaxSampleCount != INFINITE)
+    if (globalLimits.dwMaxSampleCount.has_value())
     {
-        if (globalLimits.dwAccumulatedSampleCount >= globalLimits.dwMaxSampleCount)
+        if (globalLimits.dwAccumulatedSampleCount >= globalLimits.dwMaxSampleCount.value())
         {
             return GlobalSampleCountLimitReached;
         }
     }
 
-    if (localLimits.dwMaxSampleCount != INFINITE)
+    if (localLimits.dwMaxSampleCount.has_value())
     {
-        if (localLimits.dwAccumulatedSampleCount >= localLimits.dwMaxSampleCount)
+        if (localLimits.dwAccumulatedSampleCount >= localLimits.dwMaxSampleCount.value())
         {
             return LocalSampleCountLimitReached;
         }
     }
 
-    if (globalLimits.dwlMaxBytesPerSample != INFINITE)
+    if (globalLimits.dwlMaxBytesPerSample.has_value())
     {
-        if (dataSize > globalLimits.dwlMaxBytesPerSample)
+        if (dataSize > globalLimits.dwlMaxBytesPerSample.value())
         {
             return GlobalMaxBytesPerSample;
         }
     }
 
-    if (globalLimits.dwlMaxTotalBytes != INFINITE)
+    if (globalLimits.dwlMaxTotalBytes.has_value())
     {
-        if (dataSize + globalLimits.dwlAccumulatedBytesTotal > globalLimits.dwlMaxTotalBytes)
+        if (dataSize + globalLimits.dwlAccumulatedBytesTotal > globalLimits.dwlMaxTotalBytes.value())
         {
             return GlobalMaxTotalBytes;
         }
     }
 
-    if (localLimits.dwlMaxBytesPerSample != INFINITE)
+    if (localLimits.dwlMaxBytesPerSample.has_value())
     {
-        if (dataSize > localLimits.dwlMaxBytesPerSample)
+        if (dataSize > localLimits.dwlMaxBytesPerSample.value())
         {
             return LocalMaxBytesPerSample;
         }
     }
 
-    if (localLimits.dwlMaxTotalBytes != INFINITE)
+    if (localLimits.dwlMaxTotalBytes.has_value())
     {
-        if (dataSize + localLimits.dwlAccumulatedBytesTotal > localLimits.dwlMaxTotalBytes)
+        if (dataSize + localLimits.dwlAccumulatedBytesTotal > localLimits.dwlMaxTotalBytes.value())
         {
             return LocalMaxTotalBytes;
         }
@@ -1431,7 +1431,7 @@ HRESULT Main::FindMatchingSamples()
         config.Locations,
         std::bind(&Main::OnMatchingSample, this, std::placeholders::_1, std::placeholders::_2),
         false,
-        ResurrectRecordsMode::kNo);
+        config.resurrectRecordsMode);
 
     if (FAILED(hr))
     {

src/OrcCommand/Command/NTFSInfo/NTFSInfo.h

@@ -100,6 +100,7 @@ class ORCUTILS_API Main : public UtilitiesMain
         Intentions ColumnIntentions;
         Intentions DefaultIntentions;
         std::vector<Filter> Filters;
+        std::vector<std::wstring> InputLocations;
     };
 
 private:

src/OrcCommand/Command/NTFSInfo/NTFSInfo_Config.cpp

@@ -205,7 +205,9 @@ HRESULT Main::GetConfigurationFromConfig(const ConfigItem& configitem)
         if (!mode)
         {
             Log::Error(
-                L"Failed to parse 'Resurrect' attribute (value: {}) [{}]", configitem[NTFSINFO_RESURRECT].c_str(), mode.error());
+                L"Failed to parse 'Resurrect' attribute (value: {}) [{}]",
+                configitem[NTFSINFO_RESURRECT].c_str(),
+                mode.error());
         }
         else
         {
@@ -253,6 +255,8 @@ HRESULT Main::GetConfigurationFromConfig(const ConfigItem& configitem)
         return hr;
     }
 
+    LocationSet::ParseLocationsFromConfigItem(configitem[NTFSINFO_LOCATIONS], config.InputLocations);
+
     if (FAILED(hr = GetColumnsAndFiltersFromConfig(configitem)))
     {
         Log::Error(L"Failed to get column definition from config [{}]", SystemError(hr));
@@ -381,6 +385,8 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
     }
 
     // argc/argv parameters only
+    LocationSet::ParseLocationsFromArgcArgv(argc, argv, config.InputLocations);
+
     if (boost::logic::indeterminate(config.bAddShadows))
         config.bAddShadows = false;
     if (boost::logic::indeterminate(config.bPopSystemObjects))
@@ -429,6 +435,11 @@ HRESULT Main::CheckConfiguration()
         config.bAddShadows = false;
     }
 
+    if (config.InputLocations.empty())
+    {
+        Log::Critical("Missing location parameter");
+    }
+
     config.locs.Consolidate(
         static_cast<bool>(config.bAddShadows),
         config.m_shadows.value_or(LocationSet::ShadowFilters()),

src/OrcCommand/Command/NTFSInfo/NTFSInfo_Run.cpp

@@ -646,6 +646,14 @@ HRESULT Main::RunThroughMFT()
 
     if (locations.empty())
     {
+        if (config.m_excludes.has_value() && config.m_excludes->find(L"*") != std::cend(*config.m_excludes))
+        {
+            // TODO: BEWARE: this is not complete, it should handle cases where specific drive is targetted and excluded
+            // and ShadowFilters.
+            Log::Info(L"No volume found");
+            return S_OK;
+        }
+
         Log::Critical(
             L"No NTFS volumes configured for parsing. Use \"*\" to parse all mounted volumes or list the volumes you "
             L"want parsed");

src/OrcCommand/Command/USNInfo/USNInfo.h

@@ -50,6 +50,7 @@ class ORCUTILS_API Main : public UtilitiesMain
         std::optional<LocationSet::ShadowFilters> m_shadows;
         std::optional<Ntfs::ShadowCopy::ParserType> m_shadowsParser;
         std::optional<LocationSet::PathExcludes> m_excludes;
+        std::vector<std::wstring> m_inputLocations;
     };
 
 private:

src/OrcCommand/Command/USNInfo/USNInfo_Config.cpp

@@ -45,6 +45,8 @@ HRESULT Main::GetConfigurationFromConfig(const ConfigItem& configitem)
         return hr;
     }
 
+    LocationSet::ParseLocationsFromConfigItem(configitem[USNINFO_LOCATIONS], config.m_inputLocations);
+
     boost::logic::tribool bAddShadows;
     for (auto& item : configitem[USNINFO_LOCATIONS].NodeList)
     {
@@ -141,6 +143,8 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
         }
     }
 
+    LocationSet::ParseLocationsFromArgcArgv(argc, argv, config.m_inputLocations);
+
     if (FAILED(hr = config.locs.AddLocationsFromArgcArgv(argc, argv)))
         return hr;
 
@@ -165,6 +169,11 @@ HRESULT Main::CheckConfiguration()
         config.bAddShadows = false;
     }
 
+    if (config.m_inputLocations.empty())
+    {
+        Log::Critical("Missing location parameter");
+    }
+
     config.locs.Consolidate(
         static_cast<bool>(config.bAddShadows),
         config.m_shadows.value_or(LocationSet::ShadowFilters()),