diff --git a/CHANGELOG.md b/CHANGELOG.md index 07021dd6..3b579fe6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,32 @@ # ChangeLog +## [10.1.0] - 2022-03-25 +Summary of changes since the 10.0.24. For more details look at rc versions. +From 10.1.0 the semantic versioning will be applied. + +### Added +- Outcome: detailed execution report json output file +- Log: syslog output for very high level logs +- Log: multiple/parellel logs output (execution/investigation/debug) +- Log: add log backtrace option to dump detailed logs (debug...) on error +- Ntfs: add transparent support for WolfCompressedData +- Ntfs: add transparent support for CI.CATALOGHINT +- Ntfs: VolumeShadowCopy: add newest/mid/oldest targetting options +- Add option to exclude volume +- Add option `/nolimit:[]` for configurated DFIR-Orc (mothership) +- Test: add tools/ci/test.psm1 to facilitate test automation + +### Changed +- Yara: use newest api for better results +- FastFind/GetThis: add statistics for rule profiling +- FastFind/GetThis: add more detailed output on match +- Improve 7z archive compatibility +- Update command line documentation and interface + +### Fixed +- Many fixes + + ## [10.1.0-rc10] - 2022-02-22 - Release Candidate 10 ### Added - test: add functional test helper test.psd1 and test.psm1 (see tools/ci/README.md) diff --git a/src/OrcLib/EmbeddedResource.h b/src/OrcLib/EmbeddedResource.h index 605f0a54..0c04d0f6 100644 --- a/src/OrcLib/EmbeddedResource.h +++ b/src/OrcLib/EmbeddedResource.h @@ -273,7 +273,7 @@ class EmbeddedResource private: static HRESULT _UpdateResource( - HANDLE& hOutput, + HANDLE hOutput, const WCHAR* szModule, const WCHAR* szType, const WCHAR* szName, diff --git a/src/OrcLib/EmbeddedResource_Embed.cpp b/src/OrcLib/EmbeddedResource_Embed.cpp index 565376f6..c8dc3c6b 100644 --- a/src/OrcLib/EmbeddedResource_Embed.cpp +++ b/src/OrcLib/EmbeddedResource_Embed.cpp @@ -26,7 +26,7 @@ using namespace std; using namespace Orc; HRESULT EmbeddedResource::_UpdateResource( - HANDLE& hOutput, + HANDLE hOutput, const WCHAR* szModule, const WCHAR* szType, const WCHAR* szName, @@ -56,9 +56,6 @@ HRESULT EmbeddedResource::_UpdateResource( if (hOutput == INVALID_HANDLE_VALUE) { - // Calling EndUpdateResource will make the handle invalid for success AND failure - hOutput = INVALID_HANDLE_VALUE; - if (!EndUpdateResource(hOut, FALSE)) { hr = HRESULT_FROM_WIN32(GetLastError()); diff --git a/src/OrcLib/MFTUtils.cpp b/src/OrcLib/MFTUtils.cpp index e28463c1..487864e2 100644 --- a/src/OrcLib/MFTUtils.cpp +++ b/src/OrcLib/MFTUtils.cpp @@ -338,14 +338,21 @@ HRESULT MFTUtils::MultiSectorFixup(PFILE_RECORD_SEGMENT_HEADER pFRS, const std:: // // get the first fixup entry // - fixuparray = (WORD*)((BYTE*)pHeader + pHeader->UpdateSequenceArrayOffset) + 1; - fixupsig = fixuparray[-1]; dest = (BYTE*)pHeader + lBytesPerSector - 2; numfix = (WORD)(pVolReader->GetBytesPerFRS() / lBytesPerSector); + if (pHeader->UpdateSequenceArrayOffset + numfix * 2 > 510) + { + Log::Error("Update sequence array is out of bounds"); + return HRESULT_FROM_WIN32(ERROR_INVALID_DATA); + } + // // go through the fixups // + fixuparray = (WORD*)((BYTE*)pHeader + pHeader->UpdateSequenceArrayOffset) + 1; + fixupsig = fixuparray[-1]; + for (i = 0; i < numfix; i++) { diff --git a/src/OrcLib/Text/Print/FILE_NAME.cpp b/src/OrcLib/Text/Print/FILE_NAME.cpp index c73bf6e8..9968b0d5 100644 --- a/src/OrcLib/Text/Print/FILE_NAME.cpp +++ b/src/OrcLib/Text/Print/FILE_NAME.cpp @@ -25,7 +25,7 @@ void Print(Tree& node, const FILE_NAME& file_name) const auto flags = file_name.Flags < fileFlags.size() ? fileFlags[file_name.Flags] : L"N/A"; PrintValue(node, L"Name", std::wstring_view(file_name.FileName, file_name.FileNameLength)); - PrintValue(node, L"Parent FRN", fmt::format("L{:#016x}", parentFRN)); + PrintValue(node, L"Parent FRN", fmt::format("{:#016x}", parentFRN)); PrintValue(node, L"Creation", creation); PrintValue(node, L"Last modification", lastModification); PrintValue(node, L"Last access", lastAccess);