Merge branch 'dev'

CMakeLists.txt

@@ -3,17 +3,18 @@ cmake_policy(VERSION 3.12)
 
 # CMake user options
 option(ORC_USE_STATIC_CRT "Use static runtime" ON)
-option(ORC_BUILD_VCPKG "Build vcpkg dependencies" OFF)
+option(ORC_BUILD_VCPKG "Build vcpkg dependencies" ON)
 
 option(ORC_BUILD_APACHE_ORC "Build Apache's ORC module" OFF)
 option(ORC_BUILD_CHAKRACORE "Build with chakracore support" OFF)
-option(ORC_BUILD_COMMAND    "Build any OrcCommabd based command" ON)
+option(ORC_BUILD_COMMAND    "Build any OrcCommand based command" ON)
 option(ORC_BUILD_FASTFIND   "Build FastFind binary" ON)
 option(ORC_BUILD_ORC        "Build Orc binary" ON)
 option(ORC_BUILD_PARQUET    "Build Parquet module" OFF)
 option(ORC_BUILD_SQL        "Build SQL module" OFF)
 option(ORC_BUILD_SSDEEP     "Build with ssdeep support" OFF)
 option(ORC_BUILD_JSON       "Build with JSON StructuredOutput enabled" ON)
+option(ORC_DOWNLOADS_ONLY   "Do not build ORC but only download vcpkg third parties" OFF)
 
 if(NOT ORC_BUILD_COMMAND)
     set(ORC_BUILD_FASTFIND OFF)
@@ -76,6 +77,8 @@ if(ORC_VCPKG_ROOT)
         fmt
         tlsh
         yara
+        rapidjson
+        stx
     )
 
     # Tools/rcedit specific dependencies
@@ -92,10 +95,6 @@ if(ORC_VCPKG_ROOT)
         list(APPEND _PACKAGES arrow)
     endif()
 
-    if(ORC_BUILD_JSON)
-        list(APPEND _PACKAGES rapidjson)
-    endif()
-
     if(ORC_BUILD_CHAKRACORE)
         list(APPEND _PACKAGES
             chakracore:x86-windows
@@ -108,9 +107,14 @@ if(ORC_VCPKG_ROOT)
         list(APPEND _PACKAGES ssdeep)
     endif()
 
+    if(ORC_DOWNLOADS_ONLY)
+        set(ONLY_DOWNLOADS "ONLY_DOWNLOADS")
+    endif()
+
     include(cmake/vcpkg.cmake)
-    if(ORC_BUILD_VCPKG)
+    if(ORC_BUILD_VCPKG OR ORC_DOWNLOADS_ONLY)
         vcpkg_install(
+            ${ONLY_DOWNLOADS}
             PATH ${ORC_VCPKG_ROOT}
             PACKAGES ${_PACKAGES}
             ARCH ${TARGET_ARCH}
@@ -120,6 +124,10 @@ if(ORC_VCPKG_ROOT)
     endif()
 endif()
 
+if(ORC_DOWNLOADS_ONLY)
+    return()
+endif()
+
 # Must be set AFTER 'VCPKG_TARGET_TRIPLET' is defined
 project(dfir-orc LANGUAGES C CXX ASM_MASM)
 

README.md

@@ -30,41 +30,41 @@ cd dfir-orc
 mkdir build-x86 build-x64
 
 cd build-x86
-cmake -G "Visual Studio 16 2019" -A Win32 -T v141_xp -DORC_BUILD_VCPKG=ON ..
+cmake -G "Visual Studio 16 2019" -A Win32 -T v141_xp ..
 cmake --build . --config MinSizeRel -- -maxcpucount
 
 cd ../build-x64
-cmake -G "Visual Studio 16 2019" -A x64 -T v141_xp -DORC_BUILD_VCPKG=ON ..
+cmake -G "Visual Studio 16 2019" -A x64 -T v141_xp ..
 cmake --build . --config MinSizeRel -- -maxcpucount
 ```
 
 * The `-T v141_xp` option will allow compatibility with Windows XP SP2 and later, it can safely be removed if this is not required.
 
-* The `ORC_BUILD_VCPKG=ON` option will build vcpkg packages in 'external/vcpkg' subdirectory.
+* The default `ORC_BUILD_VCPKG=ON` option will build vcpkg packages in 'external/vcpkg' subdirectory.
 
 **Important** Always do a `git submodule update` after any `git pull` to update submodules aswell. Alternatively, always pull with `git pull --recurse-submodules`
 
 
 ### Options
-Using default options is recommended with the exception of `ORC_BUILD_VCPKG` which should be set to **ON** so dependencies will be built automatically using vcpkg.
-
-| CMake option         | Default               | Description                   |
-|:---------------------|:----------------------|:------------------------------|
-| ORC_BUILD_VCPKG      | OFF                   | Build vcpkg dependencies      |
-| ORC_BUILD_APACHE_ORC | OFF                   | Build Apache Orc module       |
-| ORC_BUILD_CHAKRACORE | OFF                   | Build with ChakraCore support |
-| ORC_BUILD_COMMAND    | ON                    | Build OrcCommand library      |
-| ORC_BUILD_FASTFIND   | OFF                   | Build FastFind binary         |
-| ORC_BUILD_ORC        | ON                    | Build Orc binary              |
-| ORC_BUILD_PARQUET    | OFF                   | Build Parquet module (x64)    |
-| ORC_BUILD_SQL        | OFF                   | Build SQL module [1]          |
-| ORC_BUILD_SSDEEP     | OFF                   | Build with ssdeep support     |
-| ORC_BUILD_JSON       | ON                    | Build with JSON enabled       |
-| ORC_USE_STATIC_CRT   | ON                    | Use static runtime            |
-| ORC_VCPKG_ROOT       | ${ORC}/external/vcpkg | VCPKG root directory          |
-| ORC_XMLLITE_PATH     |                       | XmlLite.dll path (xp sp2)     |
-| VCPKG_TARGET_TRIPLET | Autodetect            | VCPKG triplet to use          |
-| CMAKE_TOOLCHAIN_FILE | Autodetect            | VCPKG's toolchain file        |
+
+| CMake option         | Default               | Description                      |
+|:---------------------|:----------------------|:---------------------------------|
+| ORC_DOWNLOADS_ONLY   | OFF                   | Only download vcpkg dependencies |
+| ORC_BUILD_VCPKG      | ON                    | Build vcpkg dependencies         |
+| ORC_BUILD_APACHE_ORC | OFF                   | Build Apache Orc module          |
+| ORC_BUILD_CHAKRACORE | OFF                   | Build with ChakraCore support    |
+| ORC_BUILD_COMMAND    | ON                    | Build OrcCommand library         |
+| ORC_BUILD_FASTFIND   | OFF                   | Build FastFind binary            |
+| ORC_BUILD_ORC        | ON                    | Build Orc binary                 |
+| ORC_BUILD_PARQUET    | OFF                   | Build Parquet module (x64)       |
+| ORC_BUILD_SQL        | OFF                   | Build SQL module [1]             |
+| ORC_BUILD_SSDEEP     | OFF                   | Build with ssdeep support        |
+| ORC_BUILD_JSON       | ON                    | Build with JSON enabled          |
+| ORC_USE_STATIC_CRT   | ON                    | Use static runtime               |
+| ORC_VCPKG_ROOT       | ${ORC}/external/vcpkg | VCPKG root directory             |
+| ORC_XMLLITE_PATH     |                       | XmlLite.dll path (xp sp2)        |
+| VCPKG_TARGET_TRIPLET | Autodetect            | VCPKG triplet to use             |
+| CMAKE_TOOLCHAIN_FILE | Autodetect            | VCPKG's toolchain file           |
 
 
 [1] `ORC_BUILD_SQL=ON` requires [SQL Server Native Client](https://docs.microsoft.com/en-us/sql/relational-databases/native-client/applications/installing-sql-server-native-client?view=sql-server-2017)

azure-pipelines-template.yml

@@ -2,9 +2,9 @@ parameters:
   arch: ''
 
 jobs:
-- job: vs2017_${{ parameters.arch }}
+- job: vs2019_${{ parameters.arch }}
   pool:
-    vmImage: 'vs2017-win2016'
+    vmImage: 'windows-2019'
   steps:
   - checkout: self
     clean: true
@@ -17,7 +17,7 @@ jobs:
         Build-ORC `
           -Source $(Build.SourcesDirectory) `
           -Output $(Build.SourcesDirectory)/artifacts `
-          -Toolchain vs2017 `
+          -Toolchain vs2019 `
           -Architecture ${{ parameters.arch }} `
           -Configuration Debug,MinSizeRel
 

cmake/FindApacheOrc.cmake

@@ -11,7 +11,7 @@ find_package(protobuf CONFIG REQUIRED)
 find_package(Snappy CONFIG REQUIRED)
 find_package(ZLIB REQUIRED)
 find_package(LZ4 REQUIRED)
-find_package(ZSTD REQUIRED)
+find_package(zstd CONFIG REQUIRED)
 
 # Unfortunately the directory search order has 'debug' first:
 #
@@ -45,6 +45,6 @@ target_link_libraries(ApacheOrc::ApacheOrc
         Snappy::snappy
         ZLIB::ZLIB
         LZ4::LZ4
-        ZSTD::ZSTD
+        libzstd
         debug ${APACHE_ORC_LIB_DEBUG} optimized ${APACHE_ORC_LIB_RELEASE}
 )

cmake/FindArrow.cmake

@@ -27,7 +27,7 @@ find_package(Snappy CONFIG REQUIRED)
 find_package(thrift REQUIRED)
 find_package(LZ4 REQUIRED)
 find_package(ZLIB REQUIRED)
-find_package(ZSTD REQUIRED)
+find_package(zstd CONFIG REQUIRED)
 
 find_library(ARROW_LIB_DEBUG NAMES arrow)
 
@@ -48,6 +48,6 @@ target_link_libraries(Arrow::Arrow
         Snappy::snappy
         thrift::thrift
         ZLIB::ZLIB
-        ZSTD::ZSTD
+        libzstd
         debug ${ARROW_LIB_DEBUG} optimized ${ARROW_LIB_RELEASE}
 )

cmake/vcpkg.cmake

@@ -51,12 +51,13 @@ endfunction()
 #       PACKAGES              list        list of packages to be installed
 #       ARCH                  x86/x64     build architecture
 #       USE_STATIC_CRT        ON/OFF      use static runtime
+#       ONLY_DOWNLOADS        <option>    only download dependencies
 #
 #   RESULT
 #       VCPKG_PACKAGES_FOUND  BOOL        TRUE if pacakges are found
 #
 function(vcpkg_install_packages)
-    set(OPTIONS)
+    set(OPTIONS ONLY_DOWNLOADS)
     set(SINGLE PATH ARCH USE_STATIC_CRT)
     set(MULTI PACKAGES OVERLAY_PORTS OVERLAY_TRIPLETS)
 
@@ -100,8 +101,12 @@ function(vcpkg_install_packages)
             "install ${PACKAGES_STR}\n"
     )
 
+    if(VCPKG_ONLY_DOWNLOADS)
+        set(ONLY_DOWNLOADS "--only-downloads")
+    endif()
+
     execute_process(
-        COMMAND "vcpkg.exe" --vcpkg-root ${VCPKG_PATH} ${OVERLAY_PORTS_STR} ${OVERLAY_TRIPLETS_STR} install ${PACKAGES}
+        COMMAND "vcpkg.exe" --vcpkg-root ${VCPKG_PATH} ${OVERLAY_PORTS_STR} ${OVERLAY_TRIPLETS_STR} install ${ONLY_DOWNLOADS} ${PACKAGES}
         WORKING_DIRECTORY ${VCPKG_PATH}
         RESULT_VARIABLE RESULT
     )
@@ -167,14 +172,15 @@ endfunction()
 #       USE_STATIC_CRT        ON/OFF      use static runtime
 #       OVERLAY_PORTS         path        list of overlay directories
 #       NO_UPGRADE            <option>    do not upgrade
+#       ONLY_DOWNLOADS        <option>    only download packages
 #
 #   RESULT
 #       VCPKG_FOUND           BOOL        TRUE if vcpkg is found and setup
 #       CMAKE_TOOLCHAIN_FILE  path        vcpkg toolchain
 #       VCPKG_TARGET_TRIPLET  triplet     triplet to use
 #
 function(vcpkg_install)
-    set(OPTIONS NO_UPGRADE)
+    set(OPTIONS NO_UPGRADE ONLY_DOWNLOADS)
     set(SINGLE PATH ARCH USE_STATIC_CRT)
     set(MULTI PACKAGES OVERLAY_PORTS OVERLAY_TRIPLETS)
 
@@ -184,15 +190,20 @@ function(vcpkg_install)
         PATH ${VCPKG_PATH}
     )
 
-    if(NOT NO_UPGRADE)
+    if(NOT VCPKG_NO_UPGRADE)
         vcpkg_upgrade(
             PATH ${VCPKG_PATH}
             OVERLAY_PORTS ${VCPKG_OVERLAY_PORTS}
             OVERLAY_TRIPLETS ${VCPKG_OVERLAY_TRIPLETS}
         )
     endif()
 
+    if(VCPKG_ONLY_DOWNLOADS)
+        set(ONLY_DOWNLOADS "ONLY_DOWNLOADS")
+    endif()
+
     vcpkg_install_packages(
+       ${ONLY_DOWNLOADS}
        PATH ${VCPKG_PATH}
        OVERLAY_PORTS ${VCPKG_OVERLAY_PORTS}
        OVERLAY_TRIPLETS ${VCPKG_OVERLAY_TRIPLETS}

src/CMakeLists.txt

@@ -14,8 +14,8 @@ if(ORC_BUILD_COMMAND OR ORC_BUILD_ORC OR ORC_BUILD_FASTFIND)
 endif()
 
 if(ORC_BUILD_APACHE_ORC)
-    add_subdirectory(OrcOptRowColumnLib)
-    add_subdirectory(OrcOptRowColumn)
+    add_subdirectory(OrcApacheOrcLib)
+    add_subdirectory(OrcApacheOrc)
 endif()
 
 # Parquet depends on arrow library which does not exist for x86

src/FastFind/FastFind.rc

@@ -44,16 +44,6 @@ END
 
 #endif    // APSTUDIO_INVOKED
 
-/////////////////////////////////////////////////////////////////////////////
-//
-// BINARY
-//
-
-FASTFIND_SQLSCHEMA       BINARY     "..\OrcCommand\FastFindSqlSchema.xml"
-
-/////////////////////////////////////////////////////////////////////////////
-
-
 /////////////////////////////////////////////////////////////////////////////
 //
 // Version

src/Orc/CMakeLists.txt

@@ -148,29 +148,29 @@ endif()
 if(${ORC_BUILD_APACHE_ORC})
 
     if("${TARGET_ARCH}" STREQUAL "x64")
-        set(ORCOPTROWCOLUMN_VAR_NAME "ORCOPTROWCOLUMN_X64DLL")
+        set(APACHEORC_VAR_NAME "APACHEORC_X64DLL")
     elseif("${TARGET_ARCH}" STREQUAL "x86")
-        set(ORCOPTROWCOLUMN_VAR_NAME "ORCOPTROWCOLUMN_X86DLL")
+        set(APACHEORC_VAR_NAME "APACHEORC_X86DLL")
     else()
         message(FATAL_ERROR "Unknown architecture: ${TARGET_ARCH}")
     endif()
 
     add_custom_command(
         TARGET Orc
         POST_BUILD
-        DEPENDS rcedit, OrcOptRowColumn
+        DEPENDS rcedit, OrcApacheOrc
         VERBATIM
 
         COMMAND $<TARGET_FILE:rcedit>
             set --type "VALUES"
-                --name "${ORCOPTROWCOLUMN_VAR_NAME}"
-                --value-utf16 "7z:#ORCOPTROWCOLUMN|OrcOptRowColumn.dll"
+                --name "${APACHEORC_VAR_NAME}"
+                --value-utf16 "7z:#APACHEORC|OrcApacheOrc.dll"
                 $<TARGET_FILE:Orc>
 
         COMMAND $<TARGET_FILE:rcedit>
             set --type "BINARY"
-                --name "ORCOPTROWCOLUMN"
-                --value-path $<TARGET_FILE:OrcOptRowColumn>
+                --name "APACHEORC"
+                --value-path $<TARGET_FILE:OrcApacheOrc>
                 --compress=7z
                 $<TARGET_FILE:Orc>
     )

src/Orc/Orc.cpp

@@ -115,7 +115,36 @@ int wmain(int argc, const WCHAR* argv[])
         while (g_Tools[index].szName != nullptr)
         {
             if (!_wcsicmp(argv[1], g_Tools[index].szName))
-                return g_Tools[index].WinMain(--argc, ++argv);
+            {
+                HRESULT hr = g_Tools[index].WinMain(--argc, ++argv);
+
+                // if parent is 'explorer' or debugger attached press any key to continue
+                if (IsDebuggerPresent())
+                {
+                    DebugBreak();
+                }
+                else if (UtilitiesMain::IsProcessParent(L"explorer.exe", pLog))
+                {
+                    std::wcerr << "Press any key to continue..." << std::endl;
+                    _getch();
+                }
+                else
+                {
+#ifdef _DEBUG
+                    if (!UtilitiesMain::IsProcessParent(L"cmd.exe", pLog)
+                        && !UtilitiesMain::IsProcessParent(L"WindowsTerminal.exe", pLog)
+                        && !UtilitiesMain::IsProcessParent(L"pwsh.exe", pLog)
+                        && !UtilitiesMain::IsProcessParent(L"VsDebugConsole.exe", pLog))
+                    {
+                        std::wcerr << "Press any key to continue..." << std::endl;
+                        _getch();
+                    }
+#endif
+                }
+
+                return hr;
+            }
+
             index++;
         }
     }