Merge branch 'main' into release/10.2.x

CHANGELOG.md

@@ -1,5 +1,11 @@
 # ChangeLog
 
+## [10.2.6] - 2024-08-28
+### Fixed
+- Fix local configuration relocating when executed from network path
+- ToolEmbed: fix possible issue on resource removal
+- Outcome: fix reported p7b archive file size
+
 ## [10.2.5] - 2024-06-07
 ### Added
 - Outcome: add outcome.system_type (Workstation...)

src/Orc/Orc.cpp

@@ -168,21 +168,53 @@ int PrintUsage()
     return -1;
 }
 
+void RelocateFile(const std::filesystem::path& source, const std::filesystem::path& destination, std::error_code& ec)
+{
+    auto exists = std::filesystem::exists(source, ec);
+    if (ec)
+    {
+        Log::Debug(L"Failed to check existance for {}", source, ec);
+        return;
+    }
+
+    if (exists == false)
+    {
+        return;
+    }
+
+    Log::Debug("Relocate {} to {}", source, destination);
+
+    if (!MoveFileExW(destination.c_str(), NULL, MOVEFILE_DELAY_UNTIL_REBOOT))
+    {
+        ec = LastWin32Error();
+        Log::Debug("Failed MoveFileExW [{}]", ec);
+        return;
+    }
+
+    if (!CopyFileW(source.c_str(), destination.c_str(), FALSE))
+    {
+        ec = LastWin32Error();
+        Log::Debug("Failed CopyFileW [{}]", ec);
+        return;
+    }
+}
+
 void RelocateOnLocalDrive(std::error_code& ec)
 {
-    const std::filesystem::path source = GetModuleFileNameApi(NULL, ec);
+    const std::filesystem::path mothership = GetModuleFileNameApi(NULL, ec);
     if (ec)
     {
         Log::Debug("Failed GetModuleFileNameApi [{}]", ec);
         return;
     }
 
-    if (!PathIsNetworkPathW(source.c_str()))
+    if (!PathIsNetworkPathW(mothership.c_str()))
     {
         return;
     }
 
-    Log::Warn("DFIR-Orc should not be executed from network network. It will be relocated into %TEMP%");
+    Log::Warn(
+        "ORC is executing from a network drive, relocate to local drive to prevent connectivity issues during collect");
 
     const std::filesystem::path temp = GetTempPathApi(ec);
     if (ec)
@@ -198,20 +230,19 @@ void RelocateOnLocalDrive(std::error_code& ec)
         return;
     }
 
-    const std::filesystem::path destination = temp / source.filename();
-    Log::Debug("Copy main executable {} to {}", source, destination);
-
-    if (!MoveFileExW(destination.c_str(), NULL, MOVEFILE_DELAY_UNTIL_REBOOT))
+    std::filesystem::path localConfiguration = mothership;
+    localConfiguration.replace_extension(L"xml");
+    const std::filesystem::path newLocalConfiguration = temp / localConfiguration.filename();
+    RelocateFile(localConfiguration, newLocalConfiguration, ec);
+    if (ec)
     {
-        ec = LastWin32Error();
-        Log::Debug("Failed MoveFileExW [{}]", ec);
         return;
     }
 
-    if (!CopyFileW(source.c_str(), destination.c_str(), FALSE))
+    const std::filesystem::path newMothership = temp / mothership.filename();
+    RelocateFile(mothership, newMothership, ec);
+    if (ec)
     {
-        ec = LastWin32Error();
-        Log::Debug("Failed CopyFileW [{}]", ec);
         return;
     }
 
@@ -223,14 +254,14 @@ void RelocateOnLocalDrive(std::error_code& ec)
     si.StartupInfo.cb = sizeof(si);
 
     std::vector<std::wstring> arguments;
-    for(size_t i = 1; i < __argc; ++i)
+    for (size_t i = 1; i < __argc; ++i)
     {
         arguments.emplace_back(__wargv[i]);
     }
 
     const auto commandLine = boost::join(arguments, " ");
     if (!CreateProcessW(
-            destination.c_str(),
+            newMothership.c_str(),
             const_cast<LPWSTR>(commandLine.c_str()),
             NULL,
             NULL,

src/OrcCommand/Command/NTFSInfo/NTFSInfo_Run.cpp

@@ -702,11 +702,6 @@ HRESULT Main::WriteVolStats(
             return E_FAIL;
         }
 
-        if (ntfsReader->VolumeSerialNumber() == 0)
-        {
-            int debug = 0;
-        }
-
         std::shared_ptr<VolumeReader> reader;
         auto shadow = loc->GetShadow();
         if (shadow && shadow->parentVolume)

src/OrcCommand/Command/WolfLauncher/WolfExecution_Execute.cpp

@@ -437,7 +437,7 @@ HRESULT WolfExecution::CreateArchiveAgent()
 
         ArchiveFormat fmt = OrcArchive::GetArchiveFormat(m_strArchiveFileName);
 
-        auto request = ArchiveMessage::MakeOpenRequest(m_strOutputFileName, fmt, pFinalStream, m_strCompressionLevel);
+        auto request = ArchiveMessage::MakeOpenRequest(m_strOutputFullPath, fmt, pFinalStream, m_strCompressionLevel);
         Concurrency::send(m_ArchiveMessageBuffer, request);
     }
     else

src/OrcLib/EmbeddedResource_Embed.cpp

@@ -37,6 +37,9 @@ namespace {
 
 const auto kEncodingHint = L"utf-8";
 
+const uint8_t kDefaultAttemptLimit = 20;
+const uint32_t kDefaultAttemptDelay = 200;
+
 void SplitResourceLink(
     const std::wstring& resourceLink,
     std::wstring& resourceName,
@@ -1043,6 +1046,28 @@ void CheckYaraRules(const std::filesystem::path& peFile, const std::vector<XmlSt
     }
 }
 
+// There is sometimes a race condition with Windows after modifying the module. I guess it is only EndUpdateResource
+// which has some issue but I wrapped other api aswell.
+BOOL TryEndUpdateResource(
+    HANDLE hUpdate,
+    BOOL fDiscard,
+    uint8_t maxAttempt = kDefaultAttemptLimit,
+    uint32_t delayms = kDefaultAttemptDelay)
+{
+    for (size_t i = 1; i <= maxAttempt; ++i)
+    {
+        if (EndUpdateResourceW(hUpdate, fDiscard))
+        {
+            return TRUE;
+        }
+
+        Log::Debug(L"Failed EndUpdateResource (handle: {:#x}, attempt: {}) [{}]", hUpdate, i, LastWin32Error());
+        Sleep(delayms);
+    }
+
+    return FALSE;
+}
+
 }  // namespace
 
 HRESULT EmbeddedResource::_UpdateResource(
@@ -1228,11 +1253,10 @@ HRESULT EmbeddedResource::UpdateResources(const std::wstring& strPEToUpdate, con
 
     if (!bAtomicUpdate)
     {
-        if (!EndUpdateResource(hOutput, FALSE))
+        if (!TryEndUpdateResource(hOutput, FALSE))
         {
-            hr = HRESULT_FROM_WIN32(GetLastError());
-            Log::Error(L"Failed to update resources in '{}' (EndUpdateResource) [{}]", strPEToUpdate, SystemError(hr));
-            return hr;
+            Log::Error(L"Failed to update resources in '{}'", strPEToUpdate);
+            return E_FAIL;
         }
     }
 

src/OrcLib/ShadowCopyVolumeReader.cpp

@@ -77,11 +77,6 @@ ShadowCopyVolumeReader::Read(ULONGLONG offset, CBinaryBuffer& buffer, ULONGLONG
 {
     Log::Trace("VSS: read (offset: {:#016x}, length: {})", offset, ullBytesToRead);
 
-    if (offset == 0)
-    {
-        int debug = 0;
-    }
-
     HRESULT hr = Seek(offset);
     if (FAILED(hr))
     {