Merge branch 'main' into release/10.1.x

DFIR-ORC · Mar 25, 2022 · bb60937 · bb60937
2 parents 25cfe92 + 5afec8c
commit bb60937
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,32 @@
 # ChangeLog
 
+## [10.1.0] - 2022-03-25
+Summary of changes since the 10.0.24. For more details look at rc versions.
+From 10.1.0 the semantic versioning will be applied.
+
+### Added
+- Outcome: detailed execution report json output file
+- Log: syslog output for very high level logs
+- Log: multiple/parellel logs output (execution/investigation/debug)
+- Log: add log backtrace option to dump detailed logs (debug...) on error
+- Ntfs: add transparent support for WolfCompressedData
+- Ntfs: add transparent support for CI.CATALOGHINT
+- Ntfs: VolumeShadowCopy: add newest/mid/oldest targetting options
+- Add option to exclude volume
+- Add option `/nolimit:[<keyword>]` for configurated DFIR-Orc (mothership)
+- Test: add tools/ci/test.psm1 to facilitate test automation
+
+### Changed
+- Yara: use newest api for better results
+- FastFind/GetThis: add statistics for rule profiling
+- FastFind/GetThis: add more detailed output on match
+- Improve 7z archive compatibility
+- Update command line documentation and interface
+
+### Fixed
+- Many fixes
+
+
 ## [10.1.0-rc10] - 2022-02-22 - Release Candidate 10
 ### Added
 - test: add functional test helper test.psd1 and test.psm1 (see tools/ci/README.md)

diff --git a/src/OrcLib/EmbeddedResource.h b/src/OrcLib/EmbeddedResource.h
@@ -273,7 +273,7 @@ class EmbeddedResource
 
 private:
     static HRESULT _UpdateResource(
-        HANDLE& hOutput,
+        HANDLE hOutput,
         const WCHAR* szModule,
         const WCHAR* szType,
         const WCHAR* szName,

diff --git a/src/OrcLib/EmbeddedResource_Embed.cpp b/src/OrcLib/EmbeddedResource_Embed.cpp
@@ -26,7 +26,7 @@ using namespace std;
 using namespace Orc;
 
 HRESULT EmbeddedResource::_UpdateResource(
-    HANDLE& hOutput,
+    HANDLE hOutput,
     const WCHAR* szModule,
     const WCHAR* szType,
     const WCHAR* szName,
@@ -56,9 +56,6 @@ HRESULT EmbeddedResource::_UpdateResource(
 
     if (hOutput == INVALID_HANDLE_VALUE)
     {
-        // Calling EndUpdateResource will make the handle invalid for success AND failure
-        hOutput = INVALID_HANDLE_VALUE;
-
         if (!EndUpdateResource(hOut, FALSE))
         {
             hr = HRESULT_FROM_WIN32(GetLastError());

diff --git a/src/OrcLib/MFTUtils.cpp b/src/OrcLib/MFTUtils.cpp
@@ -338,14 +338,21 @@ HRESULT MFTUtils::MultiSectorFixup(PFILE_RECORD_SEGMENT_HEADER pFRS, const std::
     //
     // get the first fixup entry
     //
-    fixuparray = (WORD*)((BYTE*)pHeader + pHeader->UpdateSequenceArrayOffset) + 1;
-    fixupsig = fixuparray[-1];
     dest = (BYTE*)pHeader + lBytesPerSector - 2;
     numfix = (WORD)(pVolReader->GetBytesPerFRS() / lBytesPerSector);
 
+    if (pHeader->UpdateSequenceArrayOffset + numfix * 2 > 510)
+    {
+        Log::Error("Update sequence array is out of bounds");
+        return HRESULT_FROM_WIN32(ERROR_INVALID_DATA);
+    }
+
     //
     // go through the fixups
     //
+    fixuparray = (WORD*)((BYTE*)pHeader + pHeader->UpdateSequenceArrayOffset) + 1;
+    fixupsig = fixuparray[-1];
+
     for (i = 0; i < numfix; i++)
     {
 

diff --git a/src/OrcLib/Text/Print/FILE_NAME.cpp b/src/OrcLib/Text/Print/FILE_NAME.cpp
@@ -25,7 +25,7 @@ void Print(Tree& node, const FILE_NAME& file_name)
     const auto flags = file_name.Flags < fileFlags.size() ? fileFlags[file_name.Flags] : L"N/A";
 
     PrintValue(node, L"Name", std::wstring_view(file_name.FileName, file_name.FileNameLength));
-    PrintValue(node, L"Parent FRN", fmt::format("L{:#016x}", parentFRN));
+    PrintValue(node, L"Parent FRN", fmt::format("{:#016x}", parentFRN));
     PrintValue(node, L"Creation", creation);
     PrintValue(node, L"Last modification", lastModification);
     PrintValue(node, L"Last access", lastAccess);