From 3b620ad8c36c60e6b049641174952b6ed636c262 Mon Sep 17 00:00:00 2001
From: fabienfl <fabien.fl-orc@ssi.gouv.fr>
Date: Wed, 28 Aug 2024 11:54:47 +0200
Subject: [PATCH 1/5] Orc: fix local configuration relocating when executed
 from network path

---
 src/Orc/Orc.cpp | 59 +++++++++++++++++++++++++++++++++++++------------
 1 file changed, 45 insertions(+), 14 deletions(-)

diff --git a/src/Orc/Orc.cpp b/src/Orc/Orc.cpp
index 06fe81f2..0a4219b3 100644
--- a/src/Orc/Orc.cpp
+++ b/src/Orc/Orc.cpp
@@ -168,21 +168,53 @@ int PrintUsage()
     return -1;
 }
 
+void RelocateFile(const std::filesystem::path& source, const std::filesystem::path& destination, std::error_code& ec)
+{
+    auto exists = std::filesystem::exists(source, ec);
+    if (ec)
+    {
+        Log::Debug(L"Failed to check existance for {}", source, ec);
+        return;
+    }
+
+    if (exists == false)
+    {
+        return;
+    }
+
+    Log::Debug("Relocate {} to {}", source, destination);
+
+    if (!MoveFileExW(destination.c_str(), NULL, MOVEFILE_DELAY_UNTIL_REBOOT))
+    {
+        ec = LastWin32Error();
+        Log::Debug("Failed MoveFileExW [{}]", ec);
+        return;
+    }
+
+    if (!CopyFileW(source.c_str(), destination.c_str(), FALSE))
+    {
+        ec = LastWin32Error();
+        Log::Debug("Failed CopyFileW [{}]", ec);
+        return;
+    }
+}
+
 void RelocateOnLocalDrive(std::error_code& ec)
 {
-    const std::filesystem::path source = GetModuleFileNameApi(NULL, ec);
+    const std::filesystem::path mothership = GetModuleFileNameApi(NULL, ec);
     if (ec)
     {
         Log::Debug("Failed GetModuleFileNameApi [{}]", ec);
         return;
     }
 
-    if (!PathIsNetworkPathW(source.c_str()))
+    if (!PathIsNetworkPathW(mothership.c_str()))
     {
         return;
     }
 
-    Log::Warn("DFIR-Orc should not be executed from network network. It will be relocated into %TEMP%");
+    Log::Warn(
+        "ORC is executing from a network drive, relocate to local drive to prevent connectivity issues during collect");
 
     const std::filesystem::path temp = GetTempPathApi(ec);
     if (ec)
@@ -198,20 +230,19 @@ void RelocateOnLocalDrive(std::error_code& ec)
         return;
     }
 
-    const std::filesystem::path destination = temp / source.filename();
-    Log::Debug("Copy main executable {} to {}", source, destination);
-
-    if (!MoveFileExW(destination.c_str(), NULL, MOVEFILE_DELAY_UNTIL_REBOOT))
+    std::filesystem::path localConfiguration = mothership;
+    localConfiguration.replace_extension(L"xml");
+    const std::filesystem::path newLocalConfiguration = temp / localConfiguration.filename();
+    RelocateFile(localConfiguration, newLocalConfiguration, ec);
+    if (ec)
     {
-        ec = LastWin32Error();
-        Log::Debug("Failed MoveFileExW [{}]", ec);
         return;
     }
 
-    if (!CopyFileW(source.c_str(), destination.c_str(), FALSE))
+    const std::filesystem::path newMothership = temp / mothership.filename();
+    RelocateFile(mothership, newMothership, ec);
+    if (ec)
     {
-        ec = LastWin32Error();
-        Log::Debug("Failed CopyFileW [{}]", ec);
         return;
     }
 
@@ -223,14 +254,14 @@ void RelocateOnLocalDrive(std::error_code& ec)
     si.StartupInfo.cb = sizeof(si);
 
     std::vector<std::wstring> arguments;
-    for(size_t i = 1; i < __argc; ++i)
+    for (size_t i = 1; i < __argc; ++i)
     {
         arguments.emplace_back(__wargv[i]);
     }
 
     const auto commandLine = boost::join(arguments, " ");
     if (!CreateProcessW(
-            destination.c_str(),
+            newMothership.c_str(),
             const_cast<LPWSTR>(commandLine.c_str()),
             NULL,
             NULL,

From 40c5ea1d30f3a7558915304cbc75b021406ddb37 Mon Sep 17 00:00:00 2001
From: fabienfl <fabien.fl-orc@ssi.gouv.fr>
Date: Wed, 19 Jun 2024 13:59:02 +0200
Subject: [PATCH 2/5] OrcCommand: WolfLauncher: fix reported p7b archive file
 size

Affect also Outcome
---
 src/OrcCommand/Command/WolfLauncher/WolfExecution_Execute.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/OrcCommand/Command/WolfLauncher/WolfExecution_Execute.cpp b/src/OrcCommand/Command/WolfLauncher/WolfExecution_Execute.cpp
index bc0036b7..a327a3cd 100644
--- a/src/OrcCommand/Command/WolfLauncher/WolfExecution_Execute.cpp
+++ b/src/OrcCommand/Command/WolfLauncher/WolfExecution_Execute.cpp
@@ -437,7 +437,7 @@ HRESULT WolfExecution::CreateArchiveAgent()
 
         ArchiveFormat fmt = OrcArchive::GetArchiveFormat(m_strArchiveFileName);
 
-        auto request = ArchiveMessage::MakeOpenRequest(m_strOutputFileName, fmt, pFinalStream, m_strCompressionLevel);
+        auto request = ArchiveMessage::MakeOpenRequest(m_strOutputFullPath, fmt, pFinalStream, m_strCompressionLevel);
         Concurrency::send(m_ArchiveMessageBuffer, request);
     }
     else

From 2f23a36a6011769e3309fdb24a72b503e7ce165b Mon Sep 17 00:00:00 2001
From: fabienfl <fabien.fl-orc@ssi.gouv.fr>
Date: Tue, 27 Aug 2024 17:08:49 +0200
Subject: [PATCH 3/5] OrcLib: EmbeddedResource: fix possible issue on resource
 removal

Fix possible race condition with windows api
---
 src/OrcLib/EmbeddedResource_Embed.cpp | 32 +++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/OrcLib/EmbeddedResource_Embed.cpp b/src/OrcLib/EmbeddedResource_Embed.cpp
index 85b866b1..af2c99f9 100644
--- a/src/OrcLib/EmbeddedResource_Embed.cpp
+++ b/src/OrcLib/EmbeddedResource_Embed.cpp
@@ -37,6 +37,9 @@ namespace {
 
 const auto kEncodingHint = L"utf-8";
 
+const uint8_t kDefaultAttemptLimit = 20;
+const uint32_t kDefaultAttemptDelay = 200;
+
 void SplitResourceLink(
     const std::wstring& resourceLink,
     std::wstring& resourceName,
@@ -1043,6 +1046,28 @@ void CheckYaraRules(const std::filesystem::path& peFile, const std::vector<XmlSt
     }
 }
 
+// There is sometimes a race condition with Windows after modifying the module. I guess it is only EndUpdateResource
+// which has some issue but I wrapped other api aswell.
+BOOL TryEndUpdateResource(
+    HANDLE hUpdate,
+    BOOL fDiscard,
+    uint8_t maxAttempt = kDefaultAttemptLimit,
+    uint32_t delayms = kDefaultAttemptDelay)
+{
+    for (size_t i = 1; i <= maxAttempt; ++i)
+    {
+        if (EndUpdateResourceW(hUpdate, fDiscard))
+        {
+            return TRUE;
+        }
+
+        Log::Debug(L"Failed EndUpdateResource (handle: {:#x}, attempt: {}) [{}]", hUpdate, i, LastWin32Error());
+        Sleep(delayms);
+    }
+
+    return FALSE;
+}
+
 }  // namespace
 
 HRESULT EmbeddedResource::_UpdateResource(
@@ -1228,11 +1253,10 @@ HRESULT EmbeddedResource::UpdateResources(const std::wstring& strPEToUpdate, con
 
     if (!bAtomicUpdate)
     {
-        if (!EndUpdateResource(hOutput, FALSE))
+        if (!TryEndUpdateResource(hOutput, FALSE))
         {
-            hr = HRESULT_FROM_WIN32(GetLastError());
-            Log::Error(L"Failed to update resources in '{}' (EndUpdateResource) [{}]", strPEToUpdate, SystemError(hr));
-            return hr;
+            Log::Error(L"Failed to update resources in '{}'", strPEToUpdate);
+            return E_FAIL;
         }
     }
 

From 3debbb0b3716b451b28ed2d703d0355ab1c835af Mon Sep 17 00:00:00 2001
From: fabienfl <fabien.fl-orc@ssi.gouv.fr>
Date: Thu, 11 Jul 2024 14:20:47 +0200
Subject: [PATCH 4/5] OrcLib: remove debug artefacts

---
 src/OrcCommand/Command/NTFSInfo/NTFSInfo_Run.cpp | 5 -----
 src/OrcLib/ShadowCopyVolumeReader.cpp            | 5 -----
 2 files changed, 10 deletions(-)

diff --git a/src/OrcCommand/Command/NTFSInfo/NTFSInfo_Run.cpp b/src/OrcCommand/Command/NTFSInfo/NTFSInfo_Run.cpp
index ea0cc297..83b6f97f 100644
--- a/src/OrcCommand/Command/NTFSInfo/NTFSInfo_Run.cpp
+++ b/src/OrcCommand/Command/NTFSInfo/NTFSInfo_Run.cpp
@@ -702,11 +702,6 @@ HRESULT Main::WriteVolStats(
             return E_FAIL;
         }
 
-        if (ntfsReader->VolumeSerialNumber() == 0)
-        {
-            int debug = 0;
-        }
-
         std::shared_ptr<VolumeReader> reader;
         auto shadow = loc->GetShadow();
         if (shadow && shadow->parentVolume)
diff --git a/src/OrcLib/ShadowCopyVolumeReader.cpp b/src/OrcLib/ShadowCopyVolumeReader.cpp
index 989332dc..69aa752a 100644
--- a/src/OrcLib/ShadowCopyVolumeReader.cpp
+++ b/src/OrcLib/ShadowCopyVolumeReader.cpp
@@ -77,11 +77,6 @@ ShadowCopyVolumeReader::Read(ULONGLONG offset, CBinaryBuffer& buffer, ULONGLONG
 {
     Log::Trace("VSS: read (offset: {:#016x}, length: {})", offset, ullBytesToRead);
 
-    if (offset == 0)
-    {
-        int debug = 0;
-    }
-
     HRESULT hr = Seek(offset);
     if (FAILED(hr))
     {

From 981fa6bba91d93370755bec7a01c709207701b4d Mon Sep 17 00:00:00 2001
From: fabienfl <fabien.fl-orc@ssi.gouv.fr>
Date: Wed, 28 Aug 2024 11:40:22 +0200
Subject: [PATCH 5/5] changelog: update to 10.2.6

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 88052e9e..98d4989e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # ChangeLog
 
+## [10.2.6] - 2024-08-28
+### Fixed
+- Fix local configuration relocating when executed from network path
+- ToolEmbed: fix possible issue on resource removal
+- Outcome: fix reported p7b archive file size
+
 ## [10.2.5] - 2024-06-07
 ### Added
 - Outcome: add outcome.system_type (Workstation...)