Merge branch 'main' into release/10.1.x

CHANGELOG.md

@@ -1,5 +1,22 @@
 # ChangeLog
 
+## [10.1.5] - 2023-01-17
+### Added
+- Print configured archive and command timeouts in parameters summary
+- Outcome: add output file size in command_set.command.output.size
+
+### Changed
+- Improve location exclusion to support path such as 'c:\vss.dd'
+- Location exclusion option does not support anymore ',' as separator
+
+### Fixed
+- Ntfs: fix parsing for very fragmented volumes
+- Authenticode: fix possible incorrect AuthenticodeStatus (thanks Roger)
+- Ntfs: add check to avoid infinite loop for corrupted MFT
+- Ntfs: fix error handling for nested records possiblity leading to an handled exception
+- NtfsInfo: improve performances by reducing IO
+
+
 ## [10.1.4] - 2022-10-24
 ### Added
 - ToolEmbed: add configurations checks for compressed xml settings
@@ -14,6 +31,7 @@
 - Volume Shadow Copy: workaround for MS behavior https://github.com/DFIR-ORC/readshadow (expect slower performances with VSS)
 - Outcome: fix missing command name when job was interrupted
 
+
 ## [10.1.3] - 2022-09-26
 ### Added
 - Outline, Outcome: add execution id
@@ -31,6 +49,7 @@
 - Bits: upload when on 'single' mode (only 'overwrite' was working)
 - Guid: wide string conversion of Guid
 
+
 ## [10.1.2] - 2022-07-20
 ### Added
 - ToolEmbed: add multiple checks to detect bad configurations before deployment
@@ -42,6 +61,7 @@
 - FastFind/GetThis: fix missing error handling (ntfs_find, Yara...)
 - Terminate any child processes on WolfLauncher unexpected exit using jobs
 
+
 ## [10.1.1] - 2022-06-20
 ### Added
 - Toolembed: display a message for missing/broken resource because of bad configuration

cmake/Orc.cmake

@@ -165,4 +165,7 @@ foreach(OPTION IN ITEMS ${LINK_OPTIONS_RELEASE})
     add_link_options($<$<CONFIG:RELWITHDEBINFO>:${OPTION}>)
 endforeach()
 
+set(OPTION "/INCREMENTAL:NO")
+add_link_options($<$<CONFIG:RELWITHDEBINFO>:${OPTION}>)
+
 endmacro()

src/OrcCommand/Command/NTFSInfo/NTFSInfo_Run.cpp

@@ -109,6 +109,8 @@ HRESULT Main::RunThroughUSNJournal()
         }
     };
 
+    bool hasSomeFailure = false;
+
     for (const auto& loc : locations)
     {
         if (loc->GetType() != Location::Type::MountedVolume)
@@ -142,14 +144,16 @@ HRESULT Main::RunThroughUSNJournal()
             }
             else
             {
-                Log::Warn(L"Failed to init walk for '{}' [{}]", loc->GetLocation(), SystemError(hr));
+                Log::Critical(L"Failed to init walk for '{}' [{}]", loc->GetLocation(), SystemError(hr));
+                hasSomeFailure = true;
             }
         }
         else
         {
             if (FAILED(hr = walk.EnumJournal(callbacks)))
             {
-                Log::Error(L"Failed to walk volume '{}' [{}]", loc->GetLocation(), SystemError(hr));
+                Log::Critical(L"Failed to walk volume '{}' [{}]", loc->GetLocation(), SystemError(hr));
+                hasSomeFailure = true;
             }
             else
             {
@@ -164,6 +168,11 @@ HRESULT Main::RunThroughUSNJournal()
         }
     }
 
+    if (hasSomeFailure)
+    {
+        return E_FAIL;
+    }
+
     return S_OK;
 }
 
@@ -675,6 +684,8 @@ HRESULT Main::RunThroughMFT()
     auto timelineIterator = begin(m_TimeLineOutput.Outputs());
     auto secdescrIterator = begin(m_SecDescrOutput.Outputs());
 
+    bool hasSomeFailure = false;
+
     for (auto& loc : locations)
     {
         BOOST_SCOPE_EXIT(
@@ -784,15 +795,17 @@ HRESULT Main::RunThroughMFT()
             }
             else
             {
-                Log::Error(L"Failed to init walk for '{}' [{}]", loc->GetLocation(), SystemError(hr));
+                hasSomeFailure = true;
+                Log::Critical(L"Failed to init walk for '{}' [{}]", loc->GetLocation(), SystemError(hr));
             }
         }
         else
         {
             m_FullNameBuilder = walker.GetFullNameBuilder();
             if (FAILED(hr = walker.Walk(callBacks)))
             {
-                Log::Error(L"Failed to walk volume '{}' [{}]", loc->GetLocation(), SystemError(hr));
+                hasSomeFailure = true;
+                Log::Critical(L"Failed to walk volume '{}' [{}]", loc->GetLocation(), SystemError(hr));
             }
             else
             {
@@ -802,6 +815,11 @@ HRESULT Main::RunThroughMFT()
         }
     }
 
+    if (hasSomeFailure)
+    {
+        return E_FAIL;
+    }
+
     return S_OK;
 }
 

src/OrcCommand/Command/USNInfo/USNInfo_Run.cpp

@@ -196,7 +196,7 @@ HRESULT Main::Run()
                     return S_OK;
                 }
 
-                Log::Error(
+                Log::Critical(
                     L"Failed to init walk for volume '{}' [{}]", dir.first.m_pLoc->GetLocation(), SystemError(hr));
                 return hr;
             }

src/OrcCommand/Command/WolfLauncher/Outcome.cpp

@@ -55,6 +55,12 @@ void Write(
 
         writer->WriteNamed(L"name", item.GetName());
         writer->WriteNamed(L"type", ToString(item.GetType()));
+
+        const auto& size = item.GetSize();
+        if (size.has_value())
+        {
+            writer->WriteNamed(L"size", *size);
+        }
     }
 };
 

src/OrcCommand/Command/WolfLauncher/Outcome.h

@@ -77,6 +77,8 @@ class Archive
 class Command
 {
 public:
+    using FileSize = Traits::ByteQuantity<uint64_t>;
+
     class Origin
     {
     public:
@@ -188,9 +190,14 @@ class Command
         Type GetType() const { return m_type; }
         void SetType(Type type) { m_type = type; }
 
+        const std::optional<FileSize>& GetSize() const { return m_size; }
+        void SetSize(const uint64_t size) { m_size = size; }
+        void SetSize(const std::optional<FileSize>& size) { m_size = size; }
+
     private:
         std::wstring m_name;
         Type m_type;
+        std::optional<FileSize> m_size;
     };
 
     const std::vector<Output>& GetOutput() const { return m_output; }
@@ -263,6 +270,28 @@ class CommandSet
         return it->second;
     }
 
+    Command* GetCommandByOutputFileName(const std::wstring& name)
+    {
+        auto commandIt = std::find_if(std::begin(m_commands), std::end(m_commands), [&name](const auto& item) {
+            const auto& command = item.second;
+            const auto& output = command.GetOutput();
+
+            auto outputIt =
+                std::find_if(std::cbegin(output), std::cend(output), [&name](const Command::Output& output) {
+                    return name == output.GetName();
+                });
+
+            return outputIt != std::cend(output);
+        });
+
+        if (commandIt == std::cend(m_commands))
+        {
+            return nullptr;
+        }
+
+        return &commandIt->second;
+    }
+
     Archive& GetArchive() { return m_archive; }
     const Archive& GetArchive() const { return m_archive; }
 

src/OrcCommand/Command/WolfLauncher/WolfExecution_Config.cpp

@@ -27,6 +27,7 @@
 #include <string>
 
 #include <boost/tokenizer.hpp>
+#include "Utils/WinApi.h"
 
 using namespace std;
 
@@ -120,20 +121,23 @@ WolfExecution::GetExecutableToRun(const ConfigItem& item, wstring& strExeToRun,
     }
     else
     {
-        wstring strExeFile;
-        hr = ExpandFilePath(strExeRef.c_str(), strExeFile);
-        if (FAILED(hr))
+        std::error_code ec;
+        std::wstring strExeFile = ExpandEnvironmentStringsApi(strExeRef.c_str(), ec);
+        if (ec)
         {
-            Log::Error(L"Executable file '{}' does not exist or is not a file [{}]", strExeRef, SystemError(hr));
-            return E_FAIL;
+            Log::Error("Failed to expand environment variables in uri [{}]", ec);
+            return ToHRESULT(ec);
         }
 
-        hr = VerifyFileIsBinary(strExeFile.c_str());
-        if (FAILED(hr))
+        if (std::filesystem::exists(strExeFile, ec))
         {
+            hr = VerifyFileIsBinary(strExeFile.c_str());
+            if (FAILED(hr))
+            {
 
-            Log::Error(L"Executable file '{}' is not a compatible binary [{}]", strExeFile, SystemError(hr));
-            return E_FAIL;
+                Log::Error(L"Executable file '{}' is not a compatible binary [{}]", strExeFile, SystemError(hr));
+                return E_FAIL;
+            }
         }
 
         strExeToRun = strExeFile;

src/OrcCommand/Command/WolfLauncher/WolfExecution_Execute.cpp

@@ -237,7 +237,8 @@ void WolfExecution::ArchiveNotificationHandler(const ArchiveNotification::Notifi
     }
 
     auto&& lock = m_outcome.Lock();
-    auto& outcomeArchive = m_outcome.GetCommandSet(m_commandSet).GetArchive();
+    auto& commandSet = m_outcome.GetCommandSet(m_commandSet);
+    auto& outcomeArchive = commandSet.GetArchive();
 
     switch (notification->GetType())
     {
@@ -251,10 +252,26 @@ void WolfExecution::ArchiveNotificationHandler(const ArchiveNotification::Notifi
             m_journal.Print(
                 m_commandSet, operation, L"Add file: {} ({})", notification->Keyword(), notification->FileSize());
 
+            const auto& fileName = notification->Keyword();
+            const auto& fileSize = notification->FileSize();
+
             Outcome::Archive::Item item;
-            item.SetName(notification->Keyword());
-            item.SetSize(notification->FileSize());
+            item.SetName(fileName);
+            item.SetSize(fileSize);
             outcomeArchive.Add(item);
+
+            // BEWARE: this should not be set in archive notifications but there is no other places
+            auto command = commandSet.GetCommandByOutputFileName(fileName);
+            if (command)
+            {
+                for (auto& item : command->GetOutput())
+                {
+                    if (item.GetName() == fileName)
+                    {
+                        item.SetSize(fileSize);
+                    }
+                }
+            }
             break;
         }
         case ArchiveNotification::DirectoryAddition: {

src/OrcCommand/Command/WolfLauncher/WolfLauncher_Output.cpp

@@ -191,6 +191,9 @@ void Main::PrintParameters()
     PrintValue(node, L"Explicit key selection", keySelection.empty() ? Text::kNoneW : keySelection);
     PrintValues(node, L"Enable keys", config.EnableKeywords);
     PrintValues(node, L"Disable keys", config.DisableKeywords);
+    PrintValue(
+        node, L"Command timeout", std::chrono::duration_cast<std::chrono::minutes>(config.msCommandTerminationTimeOut));
+    PrintValue(node, L"Archive timeout", std::chrono::duration_cast<std::chrono::minutes>(config.msArchiveTimeOut));
 
     const auto kNoLimits = L"No limits";
     if (config.NoLimitsKeywords.empty())

src/OrcCommand/UtilitiesMain.cpp

@@ -813,7 +813,7 @@ void UtilitiesMain::ParseLocationExcludes(
     }
 
     std::vector<std::wstring> splits;
-    boost::split(splits, rawExcludes, boost::is_any_of(L",;|"));
+    boost::split(splits, rawExcludes, boost::is_any_of(L";|"));
 
     for (auto& exclude : splits)
     {

src/OrcCommand/UtilitiesMain.h

@@ -844,7 +844,7 @@ class UtilitiesMain
             Log::Critical("Exception during execution. Type: {}, Reason: {}", typeid(e).name(), e.what());
 
 #ifdef ORC_BUILD_BOOST_STACKTRACE
-            boost::stacktrace::stacktrace();
+            std::cerr << boost::stacktrace::stacktrace();
 #endif
             return E_ABORT;
         }
@@ -854,7 +854,7 @@ class UtilitiesMain
             Log::Critical("Exception during during command execution.");
 
 #ifdef ORC_BUILD_BOOST_STACKTRACE
-            boost::stacktrace::stacktrace();
+            std::cerr << boost::stacktrace::stacktrace();
 #endif
             return E_ABORT;
         }