Merge branch 'main' into release/10.2.x

DFIR-ORC · Nov 16, 2023 · b55a779 · b55a779
2 parents cf641b7 + 37d589e
commit b55a779
Show file tree

Hide file tree

Showing 54 changed files with 888 additions and 461 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,24 @@
 # ChangeLog
 
+## [10.2.3] - 2023-11-15
+### Added
+- Ntfs: Windows overlay file compression support with resident files
+- WolfLauncher: add to element 'command' attribute 'timeout'
+- WolfLauncher: Syslog: add some more logs
+
+### Changed
+- Yara: do not disable Yara's rule when not referenced in config
+- Authenticode: enable ARM PE authenticode check
+- Display command line invalid parameter in case of parsing issue
+
+### Fixed
+- Ntfs: fix last block decompression
+- Ntfs: fix last read position after some decompression
+- Ntfs: fix Windows overlay file decompression for some ending block
+- Outcome: fix empty process informations for very short lifetime processes
+- ci: fix Get-OrcOutcome exit_code existence check
+
+
 ## [10.2.2] - 2023-09-20
 ### Added
 - Allow user to specify any 'key' from 'ORC_Offline' special command set
@@ -15,6 +34,7 @@
 - FastFind: XML output style
 - NTFSInfo/FATInfo: unexpected FirstBytes column zero padding
 
+
 ## [10.2.1] - 2023-06-20
 ### Changed
 - Configuration: accept wildcard as exclusion path
@@ -51,6 +71,20 @@
 - FastFind: add missing handling of 'Resurrect' and '/ResurrectRecords'
 
 
+## [10.1.8] - 2023-09-18
+### Added
+- Allow user to specify any 'key' from 'ORC_Offline' special command set
+
+### Changed
+- Yara: update to 4.3.2
+
+### Fixed
+- Yara: possible execution loop issue depending on the rule
+- FastFind: in the XML results file the 'Type' values for a registry match was always set to 'Type'
+- NTFSInfo/FATInfo: unexpected FirstBytes column zero padding
+- Fix log file output suboptions
+
+
 ## [10.1.7] - 2023-04-17
 ### Added
 - Add more log in case of memory starvation

diff --git a/src/Orc/Mothership_Config.cpp b/src/Orc/Mothership_Config.cpp
@@ -105,6 +105,7 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
             }
             else
             {
+                Log::Error(L"Failed to parse command line item: '{}'", argv[i] + 1);
                 PrintUsage();
                 return E_INVALIDARG;
             }

diff --git a/src/Orc/Mothership_Run.cpp b/src/Orc/Mothership_Run.cpp
@@ -189,7 +189,7 @@ HRESULT Main::Launch(const std::wstring& command, const std::wstring& commandArg
     HANDLE hMothership = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, GetCurrentProcessId());
     if (hMothership)
     {
-        strCommandLine.append(fmt::format(L" /MothershipHandle={:#x}", reinterpret_cast<size_t>(hMothership)));
+        strCommandLine.append(fmt::format(L" /Mothership={:#x}", reinterpret_cast<size_t>(hMothership)));
     }
     else
     {

diff --git a/src/OrcCommand/Command/DD/DD_Config.cpp b/src/OrcCommand/Command/DD/DD_Config.cpp
@@ -75,6 +75,7 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
                     ;
                 else
                 {
+                    Log::Error(L"Failed to parse command line item: '{}'", argv[i] + 1);
                     PrintUsage();
                     return E_INVALIDARG;
                 }

diff --git a/src/OrcCommand/Command/FastFind/FastFind_Config.cpp b/src/OrcCommand/Command/FastFind/FastFind_Config.cpp
@@ -434,6 +434,12 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
                 else if (UsageOption(argv[i] + 1))
                 {
                 }
+                else
+                {
+                    Log::Error(L"Failed to parse command line item: '{}'", argv[i] + 1);
+                    PrintUsage();
+                    return E_INVALIDARG;
+                }
                 break;
             default:
                 break;

diff --git a/src/OrcCommand/Command/GetSamples/GetSamples_Config.cpp b/src/OrcCommand/Command/GetSamples/GetSamples_Config.cpp
@@ -153,6 +153,7 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, const WCHAR* argv[])
                     ;
                 else
                 {
+                    Log::Error(L"Failed to parse command line item: '{}'", argv[i] + 1);
                     PrintUsage();
                     return E_INVALIDARG;
                 }

diff --git a/src/OrcCommand/Command/GetSectors/GetSectors_Config.cpp b/src/OrcCommand/Command/GetSectors/GetSectors_Config.cpp
@@ -70,9 +70,9 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
                     ;
                 else
                 {
-                    Log::Error(L"[!] Unknown option : \"{}\".", argv[i]);
-                    Log::Error(L"Use /help to list the available options.");
-                    exit(-1);
+                    Log::Error(L"Failed to parse command line item: '{}'", argv[i] + 1);
+                    PrintUsage();
+                    return E_INVALIDARG;
                 }
                 break;
             default:

diff --git a/src/OrcCommand/Command/GetThis/GetThis.h b/src/OrcCommand/Command/GetThis/GetThis.h
@@ -372,7 +372,7 @@ class ORCUTILS_API Main : public UtilitiesMain
 
     HRESULT FindMatchingSamples();
 
-    void OnMatchingSample(const std::shared_ptr<FileFind::Match>& aMatch, bool bStop);
+    void OnMatchingSample(const std::shared_ptr<FileFind::Match>& aMatch, bool& bStop);
     void OnSampleWritten(const SampleRef& sample, const SampleSpec& sampleSpec, HRESULT hrWrite) const;
 
 public:

diff --git a/src/OrcCommand/Command/GetThis/GetThis_Config.cpp b/src/OrcCommand/Command/GetThis/GetThis_Config.cpp
@@ -478,6 +478,7 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
                         ;
                     else
                     {
+                        Log::Error(L"Failed to parse command line item: '{}'", argv[i] + 1);
                         PrintUsage();
                         return E_INVALIDARG;
                     }

diff --git a/src/OrcCommand/Command/GetThis/GetThis_Run.cpp b/src/OrcCommand/Command/GetThis/GetThis_Run.cpp
@@ -1346,7 +1346,7 @@ void Main::OnSampleWritten(const SampleRef& sample, const SampleSpec& sampleSpec
     }
 }
 
-void Main::OnMatchingSample(const std::shared_ptr<FileFind::Match>& aMatch, bool bStop)
+void Main::OnMatchingSample(const std::shared_ptr<FileFind::Match>& aMatch, bool& bStop)
 {
     HRESULT hr = E_FAIL;
 
@@ -1390,7 +1390,7 @@ void Main::OnMatchingSample(const std::shared_ptr<FileFind::Match>& aMatch, bool
         auto sample = CreateSample(aMatch, i, sampleSpec);
         UpdateSamplesLimits(sampleSpec, *sample);
 
-        // TODO: memory optimization: check that sampleIds is resetted when volume changes
+        // TODO: memory optimization: check that sampleIds is reset when volume changes
         m_sampleIds.insert(SampleId(*sample));
 
         if (config.Output.Type == OutputSpec::Kind::Archive)
@@ -1527,7 +1527,7 @@ HRESULT Main::Run()
     catch (...)
     {
         Log::Error(L"GetThis failed during sample collection, terminating archive");
-        return E_ABORT;
+        return E_UNEXPECTED;
     }
 
     return S_OK;

diff --git a/src/OrcCommand/Command/NTFSInfo/NTFSInfo_Config.cpp b/src/OrcCommand/Command/NTFSInfo/NTFSInfo_Config.cpp
@@ -381,7 +381,7 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
     catch (...)
     {
         Log::Error("NTFSInfo failed during argument parsing, exiting");
-        return E_ABORT;
+        return E_UNEXPECTED;
     }
 
     // argc/argv parameters only

diff --git a/src/OrcCommand/Command/NTFSUtil/NTFSUtil_Config.cpp b/src/OrcCommand/Command/NTFSUtil/NTFSUtil_Config.cpp
@@ -103,6 +103,7 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
                     ;
                 else
                 {
+                    Log::Error(L"Failed to parse command line item: '{}'", argv[i] + 1);
                     PrintUsage();
                     return E_INVALIDARG;
                 }

diff --git a/src/OrcCommand/Command/NTFSUtil/NTFSUtil_Run.cpp b/src/OrcCommand/Command/NTFSUtil/NTFSUtil_Run.cpp
@@ -27,6 +27,7 @@
 #include "MFTOffline.h"
 #include "OfflineMFTReader.h"
 
+#include "Utils/Round.h"
 #include "Utils/TypeTraits.h"
 #include "Text/Fmt/Boolean.h"
 #include "Text/Fmt/Limit.h"
@@ -1006,11 +1007,6 @@ HRESULT Main::CommandVss()
     return S_OK;
 }
 
-constexpr uint64_t RoundUp(uint64_t offset, uint64_t pageSize)
-{
-    return (((offset)) + pageSize - 1) & (~(pageSize - 1));
-}
-
 HRESULT Orc::Command::NTFSUtil::Main::CommandBitLocker()
 {
     using namespace BitLocker;
@@ -1109,7 +1105,7 @@ HRESULT Orc::Command::NTFSUtil::Main::CommandBitLocker()
             // Reset pointer to start of info data
             reader->Seek(pHeader->InfoOffsets[i]);
 
-            auto toRead = RoundUp(infoSize + sizeof(ValidationHeader), pHeader->SectorSize);
+            auto toRead = RoundUpPow2(infoSize + sizeof(ValidationHeader), pHeader->SectorSize);
             info_buffer.SetCount(toRead);
             reader->Read(info_buffer, toRead, ullBytesRead);
 
@@ -1121,7 +1117,7 @@ HRESULT Orc::Command::NTFSUtil::Main::CommandBitLocker()
                 continue;
             }
 
-            const Traits::ByteQuantity size(RoundUp(infoSize + pValidation->Size, pHeader->SectorSize));
+            const Traits::ByteQuantity size(RoundUpPow2(infoSize + pValidation->Size, pHeader->SectorSize));
             PrintValue(metadataNode, L"Size", size);
         }
     }

diff --git a/src/OrcCommand/Command/ObjInfo/ObjInfo_Config.cpp b/src/OrcCommand/Command/ObjInfo/ObjInfo_Config.cpp
@@ -50,6 +50,7 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
                     ;
                 else
                 {
+                    Log::Error(L"Failed to parse command line item: '{}'", argv[i] + 1);
                     PrintUsage();
                     return E_INVALIDARG;
                 }

diff --git a/src/OrcCommand/Command/ToolEmbed/ToolEmbed_Config.cpp b/src/OrcCommand/Command/ToolEmbed/ToolEmbed_Config.cpp
@@ -451,7 +451,7 @@ HRESULT Main::CheckConfiguration()
     if (dwMajor < 6 && dwMinor < 2)
     {
         Log::Error("ToolEmbed cannot be used on downlevel platform, please run ToolEmbed on Windows 7+ systems");
-        return E_ABORT;
+        return E_NOTIMPL;
     }
 
     switch (config.Todo)

diff --git a/src/OrcCommand/Command/USNInfo/USNInfo_Config.cpp b/src/OrcCommand/Command/USNInfo/USNInfo_Config.cpp
@@ -134,6 +134,7 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
                     ;
                 else
                 {
+                    Log::Error(L"Failed to parse command line item: '{}'", argv[i] + 1);
                     PrintUsage();
                     return E_INVALIDARG;
                 }

diff --git a/src/OrcCommand/Command/WolfLauncher/ConfigFile_WOLFLauncher.cpp b/src/OrcCommand/Command/WolfLauncher/ConfigFile_WOLFLauncher.cpp
@@ -92,6 +92,8 @@ HRESULT wolf_command(ConfigItem& parent, DWORD dwIndex)
         return hr;
     if (FAILED(hr = parent[dwIndex].AddAttribute(L"optional", WOLFLAUNCHER_COMMAND_OPTIONAL, ConfigItem::OPTION)))
         return hr;
+    if (FAILED(hr = parent[dwIndex].AddAttribute(L"timeout", WOLFLAUNCHER_COMMAND_TIMEOUT, ConfigItem::OPTION)))
+        return hr;
     return S_OK;
 }
 

diff --git a/src/OrcCommand/Command/WolfLauncher/ConfigFile_WOLFLauncher.h b/src/OrcCommand/Command/WolfLauncher/ConfigFile_WOLFLauncher.h
@@ -37,6 +37,7 @@ constexpr auto WOLFLAUNCHER_COMMAND_WINVER = 5L;
 constexpr auto WOLFLAUNCHER_COMMAND_SYSTEMTYPE = 6L;
 constexpr auto WOLFLAUNCHER_COMMAND_QUEUE = 7L;
 constexpr auto WOLFLAUNCHER_COMMAND_OPTIONAL = 8L;
+constexpr auto WOLFLAUNCHER_COMMAND_TIMEOUT = 9L;
 
 constexpr auto WOLFLAUNCHER_DESTINATION = 0L;
 constexpr auto WOLFLAUNCHER_METHOD = 1L;

diff --git a/src/OrcCommand/Command/WolfLauncher/Journal.h b/src/OrcCommand/Command/WolfLauncher/Journal.h
@@ -37,7 +37,8 @@ class Journal
         const auto timepoint = std::chrono::system_clock::now();
 
         std::wstring message;
-        Text::FormatToWithoutEOL(std::back_inserter(message), "{:<16} {:<26} ", commandSet, agent);
+        Text::FormatToWithoutEOL(
+            std::back_inserter(message), "{:<16} {:<26} ", commandSet, agent.empty() ? L"Info" : agent);
         Text::FormatToWithoutEOL(std::back_inserter(message), std::forward<FmtArgs>(status)...);
 
         // TODO: instead of using console directly the syslog facility could have a custom console sink
@@ -50,7 +51,18 @@ class Journal
         const auto& syslog = Orc::Log::DefaultLogger()->Get(Log::Facility::kSyslog);
         if (syslog)
         {
-            syslog->Log(timepoint, level, ToUtf8(message));
+            std::wstring syslogMessage;
+            if (agent.empty())
+            {
+                Text::FormatToWithoutEOL(std::back_inserter(syslogMessage), "[{}] ", commandSet);
+            }
+            else
+            {
+                Text::FormatToWithoutEOL(std::back_inserter(syslogMessage), "[{}] [{}] ", commandSet, agent);
+            }
+
+            Text::FormatToWithoutEOL(std::back_inserter(syslogMessage), std::forward<FmtArgs>(status)...);
+            syslog->Log(timepoint, level, ToUtf8(syslogMessage));
         }
     }
 
@@ -60,14 +72,14 @@ class Journal
         Print(commandSet, agent, Log::Level::Info, std::forward<FmtArgs>(status)...);
     }
 
-    auto Console() { return std::pair<std::lock_guard<std::mutex>, Command::Console&> {m_mutex, m_console}; }
+    auto Console() { return std::pair<std::lock_guard<std::recursive_mutex>, Command::Console&> {m_mutex, m_console}; }
     auto Console() const
     {
-        return std::pair<std::lock_guard<std::mutex>, const Command::Console&> {m_mutex, m_console};
+        return std::pair<std::lock_guard<std::recursive_mutex>, const Command::Console&> {m_mutex, m_console};
     }
 
 private:
-    mutable std::mutex m_mutex;
+    mutable std::recursive_mutex m_mutex;
     Command::Console& m_console;
 };
 

diff --git a/src/OrcCommand/Command/WolfLauncher/WolfExecution_Config.cpp b/src/OrcCommand/Command/WolfLauncher/WolfExecution_Config.cpp
@@ -520,6 +520,20 @@ CommandMessage::Message WolfExecution::SetCommandFromConfigItem(const ConfigItem
         }
     }
 
+    if (item[WOLFLAUNCHER_COMMAND_TIMEOUT])
+    {
+        LARGE_INTEGER li;
+        hr = GetIntegerFromArg(item[WOLFLAUNCHER_COMMAND_TIMEOUT].c_str(), li);
+        if (FAILED(hr))
+        {
+            Log::Debug(L"Failed to initialize command timeout [{}]", SystemError(hr));
+            return nullptr;
+        }
+
+        std::chrono::minutes timeout(li.QuadPart);
+        command->SetTimeout(timeout);
+    }
+
     return command;
 }
 

diff --git a/src/OrcCommand/Command/WolfLauncher/WolfExecution_Execute.cpp b/src/OrcCommand/Command/WolfLauncher/WolfExecution_Execute.cpp
@@ -513,11 +513,19 @@ HRESULT WolfExecution::CreateCommandAgent(
             {
                 switch (item->GetEvent())
                 {
+                    case CommandNotification::Created: {
+                        Log::Debug(L"{}: Created", item->GetKeyword());
+                    }
+                    break;
                     case CommandNotification::Started:
                         Log::Debug(L"{}: Started", item->GetKeyword());
                         break;
                     case CommandNotification::Terminated:
                         break;
+                    case CommandNotification::Aborted: {
+                        Log::Debug(L"{}: Aborted", item->GetKeyword());
+                    }
+                    break;
                     case CommandNotification::Running:
                         break;
                     case CommandNotification::ProcessAbnormalTermination:
@@ -669,7 +677,7 @@ HRESULT WolfExecution::CreateCommandAgent(
     if (FAILED(hr))
     {
         Log::Error(
-            L"WolfLauncher cmd agent failed during initialisation (output directory: '{}', [{}])",
+            L"WolfLauncher cmd agent failed during initialisation (output directory: '{}') [{}]",
             m_Temporary.Path,
             SystemError(hr));
         return hr;

diff --git a/src/OrcCommand/Command/WolfLauncher/WolfLauncher_Config.cpp b/src/OrcCommand/Command/WolfLauncher/WolfLauncher_Config.cpp
@@ -670,7 +670,7 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
                         ;
                     else if (ParameterOption(argv[i] + 1, L"Compression", config.strCompressionLevel))
                         ;
-                    else if (ParameterOption(argv[i] + 1, L"MothershipHandle", config.strMothershipHandle))
+                    else if (ParameterOption(argv[i] + 1, L"Mothership", config.strMothershipHandle))
                         ;
                     else if (ParameterOption(argv[i] + 1, L"archive_timeout", config.msArchiveTimeOut))
                         ;
@@ -727,6 +727,7 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
                         ;
                     else
                     {
+                        Log::Error(L"Failed to parse command line item: '{}'", argv[i] + 1);
                         PrintUsage();
                         return E_INVALIDARG;
                     }