Skip to content

Commit b333b81

Browse files
yasulibyasulib
committed
v1.3.7
1 parent 6dee14f commit b333b81

File tree

10 files changed

+44
-22
lines changed

10 files changed

+44
-22
lines changed

CDIR/CDIR.cpp

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright(C) 2022 Cyber Defense Institute, Inc.
2+
* Copyright(C) 2024 Cyber Defense Institute, Inc.
33
*
44
* This program/include file is free software; you can redistribute it and/or
55
* modify it under the terms of the GNU General Public License as published
@@ -50,7 +50,7 @@
5050
using namespace std;
5151

5252
typedef FileInfo_t* (__cdecl *StealthOpenFile_func)(char*);
53-
typedef int(__cdecl *StealthReadFile_func)(FileInfo_t*, BYTE*, DWORD, ULONGLONG, DWORD*, ULONGLONG*, ULONGLONG);
53+
typedef int(__cdecl *StealthReadFile_func)(FileInfo_t*, BYTE*, DWORD, ULONGLONG, DWORD*, ULONGLONG*, ULONGLONG, ULONGLONG);
5454
typedef void(__cdecl *StealthCloseFile_func)(FileInfo_t*);
5555

5656
StealthOpenFile_func StealthOpenFile;
@@ -334,6 +334,7 @@ int StealthGetFile(char *filepath, char *outpath, ostringstream *osslog = NULL,
334334
};
335335

336336
ULONGLONG filesize = (ULONGLONG)file->data->GetDataSize();
337+
ULONGLONG initializedsize = (ULONGLONG)file->data->GetIniDataSize();
337338
WriteWrapper wfile(outpath, filesize);
338339

339340
SHA256_CTX sha256;
@@ -384,7 +385,7 @@ int StealthGetFile(char *filepath, char *outpath, ostringstream *osslog = NULL,
384385
do {
385386
int ret;
386387

387-
if ((ret = StealthReadFile(file, buf, CHUNKSIZE, offset, &bytesread, &bytesleft, filesize)) != 0) {
388+
if ((ret = StealthReadFile(file, buf, CHUNKSIZE, offset, &bytesread, &bytesleft, filesize, initializedsize)) != 0) {
388389
if (SparseSkip && strlen(filepath) > 3 && strcmp(&(filepath[2]), journalpath) == 0) {
389390
filesize -= offset;
390391
skipclusters = 0;
@@ -433,7 +434,7 @@ int StealthGetFile(char *filepath, char *outpath, ostringstream *osslog = NULL,
433434
else if (ret == 3) {
434435
int adjustsize = CHUNKSIZE;
435436
adjustsize -= BLOCKSIZE;
436-
while (StealthReadFile(file, buf, adjustsize, offset, &bytesread, &bytesleft, filesize) == 3)
437+
while (StealthReadFile(file, buf, adjustsize, offset, &bytesread, &bytesleft, filesize, initializedsize) == 3)
437438
adjustsize -= BLOCKSIZE;
438439
}
439440
else {
@@ -1237,7 +1238,7 @@ int main(int argc, char **argv)
12371238

12381239
// chack proces name
12391240
procname = basename(string(argv[0]));
1240-
cout << msg("CDIR Collector v1.3.6 - 初動対応用データ収集ツール", "CDIR Collector v1.3.6 - Data Acquisition Tool for First Response") << endl;
1241+
cout << msg("CDIR Collector v1.3.7 - 初動対応用データ収集ツール", "CDIR Collector v1.3.7 - Data Acquisition Tool for First Response") << endl;
12411242
cout << msg("Cyber Defense Institute, Inc.\n", "Cyber Defense Institute, Inc.\n") << endl;
12421243

12431244
// set curdir -> exedir

CDIR/CDIR.rc

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -62,8 +62,8 @@ IDI_ICON1 ICON "collector.ico"
6262
//
6363

6464
VS_VERSION_INFO VERSIONINFO
65-
FILEVERSION 1,3,6,0
66-
PRODUCTVERSION 1,3,6,0
65+
FILEVERSION 1,3,7,0
66+
PRODUCTVERSION 1,3,7,0
6767
FILEFLAGSMASK 0x3fL
6868
#ifdef _DEBUG
6969
FILEFLAGS 0x1L
@@ -80,12 +80,12 @@ BEGIN
8080
BEGIN
8181
VALUE "CompanyName", "Cyber Defense Institute, Inc."
8282
VALUE "FileDescription", "Data Collection Tool for Incident Response"
83-
VALUE "FileVersion", "1.3.6.0"
83+
VALUE "FileVersion", "1.3.7.0"
8484
VALUE "InternalName", "cdir-collector.exe"
85-
VALUE "LegalCopyright", "Copyright (C) 2022 Cyber Defense Institute"
85+
VALUE "LegalCopyright", "Copyright (C) 2024 Cyber Defense Institute"
8686
VALUE "OriginalFilename", "cdir-collector.exe"
8787
VALUE "ProductName", "CDIR Collector"
88-
VALUE "ProductVersion", "1.3.6.0"
88+
VALUE "ProductVersion", "1.3.7.0"
8989
END
9090
END
9191
BLOCK "VarFileInfo"

CDIR/CDIR.vcxproj

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,20 +36,20 @@
3636
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
3737
<ConfigurationType>Application</ConfigurationType>
3838
<UseDebugLibraries>false</UseDebugLibraries>
39-
<PlatformToolset>v142</PlatformToolset>
39+
<PlatformToolset>v143</PlatformToolset>
4040
<WholeProgramOptimization>true</WholeProgramOptimization>
4141
<CharacterSet>MultiByte</CharacterSet>
4242
</PropertyGroup>
4343
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
4444
<ConfigurationType>Application</ConfigurationType>
4545
<UseDebugLibraries>true</UseDebugLibraries>
46-
<PlatformToolset>v142</PlatformToolset>
46+
<PlatformToolset>v143</PlatformToolset>
4747
<CharacterSet>MultiByte</CharacterSet>
4848
</PropertyGroup>
4949
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
5050
<ConfigurationType>Application</ConfigurationType>
5151
<UseDebugLibraries>false</UseDebugLibraries>
52-
<PlatformToolset>v142</PlatformToolset>
52+
<PlatformToolset>v143</PlatformToolset>
5353
<WholeProgramOptimization>true</WholeProgramOptimization>
5454
<CharacterSet>MultiByte</CharacterSet>
5555
</PropertyGroup>

CDIR/ConfigParser.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
#include <string>
44
#include <map>
55
#include <fstream>
6+
#include <functional>
67

78
using namespace std;
89

@@ -23,7 +24,7 @@ struct Value {
2324
//#define GETVALUE(val) ((val).type==TYPE_BOOL)?(CASTPTR(bool,(val).ptr)):((val.type==TYPE_INT)?(CASTPTR(int,(val).ptr)):(CASTPTR(string,(val).ptr)))
2425
//#define GETVALUE(val) [=](){if(val.type==TYPE_BOOL)return CASTPTR(bool,(val).ptr);if(val.type==TYPE_INT)return CASTPTR(int,(val).ptr);if(val.type==TYPE_STRING)return CASTPTR(int,(val).ptr);}
2526

26-
struct c_ignorecase:std::binary_function<string, string, bool> {
27+
struct c_ignorecase:std::function<bool(string, string)> {
2728
bool operator() (const string &s1, const string &s2) const {
2829
return _stricmp(s1.c_str(), s2.c_str()) < 0;
2930
}

CDIR/cdir.ini

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,5 @@ Web = true
1313
;MemoryDumpCmdline = winpmem-2.1.post4.exe --output RAM.aff4
1414
;MemoryDumpCmdline = DumpIt.exe /Q /N /T DMP /O RAM.dmp
1515
;MemoryDumpCmdline = RamCapture64.exe RAM.raw
16-
;MemoryDumpCmdline = MagnetRAMCapture.exe /accepteula /go .\RAM.raw
1716
;Output = E:\
1817
;Output = \\hostname\sharename\

NTFSParserDLL/NTFSParserDLL.cpp

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -144,13 +144,13 @@ extern "C" HANDLE __declspec(dllexport) StealthOpenFile(char* filePathCStr)
144144
}
145145

146146
// add filesize argument
147-
extern "C" DWORD __declspec(dllexport) StealthReadFile(FileInfo_t* fileInfo, BYTE* buffer, DWORD bufferSize, ULONGLONG offset, DWORD* bytesRead, ULONGLONG* dataRemaining, ULONGLONG fileSize)
147+
extern "C" DWORD __declspec(dllexport) StealthReadFile(FileInfo_t* fileInfo, BYTE* buffer, DWORD bufferSize, ULONGLONG offset, DWORD* bytesRead, ULONGLONG* dataRemaining, ULONGLONG fileSize, ULONGLONG initializedSize)
148148
{
149149
if (fileInfo->data)
150150
{
151-
// ULONGLONG dataLength = (ULONGLONG)fileInfo->data->GetDataSize();
152151
ULONGLONG dataLength = fileSize; // changed for datarun around multiple record
153152
ULONGLONG fullDataLength = dataLength;
153+
ULONGLONG validDataLength = initializedSize;
154154

155155
dataLength = dataLength - offset;
156156
if (dataLength > bufferSize)
@@ -165,6 +165,18 @@ extern "C" DWORD __declspec(dllexport) StealthReadFile(FileInfo_t* fileInfo, BYT
165165
DWORD len;
166166
if (fileInfo->data->ReadData(offset, buffer, (DWORD)dataLength, &len) && len == (DWORD)dataLength)
167167
{
168+
if (validDataLength < fileSize)
169+
{
170+
if (validDataLength <= offset)
171+
{
172+
std::memset(buffer, 0, sizeof(BYTE) * len);
173+
}
174+
else if (validDataLength < offset + len)
175+
{
176+
ULONGLONG offsetOfBuffer = validDataLength - offset;
177+
std::memset(buffer + offsetOfBuffer, 0, sizeof(BYTE)*size_t(bufferSize - offsetOfBuffer));
178+
}
179+
}
168180
*bytesRead = len;
169181
*dataRemaining = fullDataLength - len - offset;
170182
return 0; //Success

NTFSParserDLL/NTFSParserDLL.vcxproj

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,19 +28,19 @@
2828
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
2929
<ConfigurationType>DynamicLibrary</ConfigurationType>
3030
<UseDebugLibraries>true</UseDebugLibraries>
31-
<PlatformToolset>v142</PlatformToolset>
31+
<PlatformToolset>v143</PlatformToolset>
3232
<CharacterSet>NotSet</CharacterSet>
3333
</PropertyGroup>
3434
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
3535
<ConfigurationType>DynamicLibrary</ConfigurationType>
3636
<UseDebugLibraries>true</UseDebugLibraries>
37-
<PlatformToolset>v142</PlatformToolset>
37+
<PlatformToolset>v143</PlatformToolset>
3838
<CharacterSet>NotSet</CharacterSet>
3939
</PropertyGroup>
4040
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
4141
<ConfigurationType>DynamicLibrary</ConfigurationType>
4242
<UseDebugLibraries>false</UseDebugLibraries>
43-
<PlatformToolset>v142</PlatformToolset>
43+
<PlatformToolset>v143</PlatformToolset>
4444
<WholeProgramOptimization>true</WholeProgramOptimization>
4545
<CharacterSet>NotSet</CharacterSet>
4646
</PropertyGroup>

NTFSParserDLL/NTFS_Attribute.h

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@ class CAttrBase
7777

7878
public:
7979
virtual __inline ULONGLONG GetDataSize(ULONGLONG *allocSize = NULL) const = 0;
80+
virtual __inline ULONGLONG GetIniDataSize() const { return this->GetDataSize(); };
8081
virtual BOOL ReadData(const ULONGLONG &offset, void *bufv, DWORD bufLen, DWORD *actural) const = 0;
8182
}; // CAttrBase
8283

@@ -285,6 +286,7 @@ class CAttrNonResident : public CAttrBase
285286

286287
public:
287288
virtual __inline ULONGLONG GetDataSize(ULONGLONG *allocSize = NULL) const;
289+
virtual __inline ULONGLONG GetIniDataSize() const;
288290
virtual BOOL ReadData(const ULONGLONG &offset, void *bufv, DWORD bufLen, DWORD *actural) const;
289291
CDataRunList *GetDataRunList();
290292
}; // CAttrNonResident
@@ -517,6 +519,13 @@ __inline ULONGLONG CAttrNonResident::GetDataSize(ULONGLONG *allocSize) const
517519
return AttrHeaderNR->RealSize;
518520
}
519521

522+
// Return Initialized Size(ValidDataLength)
523+
__inline ULONGLONG CAttrNonResident::GetIniDataSize() const
524+
{
525+
return AttrHeaderNR->IniSize;
526+
}
527+
528+
520529
// Read "bufLen" bytes from "offset" into "bufv"
521530
// Number of bytes acturally read is returned in "*actural"
522531
BOOL CAttrNonResident::ReadData(const ULONGLONG &offset, void *bufv, DWORD bufLen, DWORD *actural) const

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ https://github.com/CyberDefenseInstitute/CDIR/releases
3232

3333
## ビルド
3434

35-
ソースコードはVisual Studio 2019で読み込みビルドすることができます。cdir-collectorの構成ファイルは以下の通りです。
35+
ソースコードはVisual Studio 2022で読み込みビルドすることができます。cdir-collectorの構成ファイルは以下の通りです。
3636

3737
* cdir.ini
3838
* cdir-collector.exe

README_en.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ https://github.com/CyberDefenseInstitute/CDIR/releases
3232

3333
## Build
3434

35-
If you want to customise and build binary from source code, try to use Visual Studio 2019.
35+
If you want to customise and build binary from source code, try to use Visual Studio 2022.
3636

3737
Component of cdir-collector:
3838
* cdir.ini

0 commit comments

Comments
 (0)