v.1.3.4

Author: hashimoto62563

CDIR/CDIR.cpp

@@ -749,11 +749,15 @@ int get_analysisdata(ostringstream *osslog = NULL) {
 	Wow64DisableWow64FsRedirection(&oldval);
 
 	char findpath[MAX_PATH + 1];
+	char filepath[MAX_PATH + 1];
 	char srcpath[MAX_PATH + 1];
 	char dstpath[MAX_PATH + 1];
 
-	if (param_mftdump == true) {
+	if (param_mftdump || param_securedump || param_usndump) {
 		mkdir("NTFS");
+	}
+
+	if (param_mftdump == true) {
 		// get MFT
 		sprintf(srcpath, "%s\\$MFT", osvolume);
 		sprintf(dstpath, "NTFS\\%c_$MFT", osvolume[0]);
@@ -867,20 +871,38 @@ int get_analysisdata(ostringstream *osslog = NULL) {
 		// get prefetch files
 		mkdir("Prefetch");
 
-		sprintf(findpath, "%s\\Prefetch\\*.pf", windir);
+		sprintf(findpath, "%s\\Prefetch\\*", windir);
 		auto files = findfiles(string(findpath));
-
 		bool flag = false;
 		for (auto file : files) {
-			sprintf(srcpath, "%s\\Prefetch\\%s", windir, file.first.c_str());
-			sprintf(dstpath, "Prefetch\\%s", file.first.c_str());
-			if (StealthGetFile(srcpath, dstpath, osslog, false)) {
-				cerr << msg("取得失敗", "failed to save") << ": " << srcpath << endl;
+			if ( file.first.substr(file.first.length() - 3) == ".pf" ) {
+				sprintf(srcpath, "%s\\Prefetch\\%s", windir, file.first.c_str());
+				sprintf(dstpath, "Prefetch\\%s", file.first.c_str());
+				if (StealthGetFile(srcpath, dstpath, osslog, false)) {
+					cerr << msg("取得失敗", "failed to save") << ": " << srcpath << endl;
+				}
+				else {
+					flag = true;
+				}
 			}
-			else {
-				flag = true;
+			// check if the file has ADS or not
+			sprintf(filepath, "%s\\Prefetch\\%s", windir, file.first.c_str());
+			auto strms = findstreams(filepath);
+			if ( strms.size() > 0 ){
+				for (auto strm : strms) {
+					sprintf(srcpath, "%s\\Prefetch\\%s%s", windir, file.first.c_str(), strm.first.c_str());
+					sprintf(dstpath, "Prefetch\\%s%s", file.first.c_str(), strm.first.c_str());
+					if (StealthGetFile(srcpath, dstpath, osslog, false)) {
+						cerr << msg("取得失敗", "failed to save") << ": " << srcpath << endl;
+					}
+					else {
+						flag = true;
+					}
+				}
 			}
+
 		}
+
 		if (flag) {
 			cerr << msg("プリフェッチ 取得完了", "prefetch is saved") << endl;
 		}
@@ -890,20 +912,38 @@ int get_analysisdata(ostringstream *osslog = NULL) {
 
 		// Windows.old
 		if (PathIsDirectory(backupdir)) {
+			
 			mkdir("Prefetch_old");
-
-			sprintf(findpath, "%s\\Prefetch\\*.pf", windir_old);
+			sprintf(findpath, "%s\\Prefetch\\*", windir_old);
 			auto files = findfiles(string(findpath));
 
 			bool flag = false;
+
 			for (auto file : files) {
-				sprintf(srcpath, "%s\\Prefetch\\%s", windir_old, file.first.c_str());
-				sprintf(dstpath, "Prefetch_old\\%s", file.first.c_str());
-				if (StealthGetFile(srcpath, dstpath, osslog, false)) {
-					cerr << msg("取得失敗", "failed to save") << ": " << srcpath << endl;
+				if ( file.first.substr(file.first.length() - 3) == ".pf" ) {
+					sprintf(srcpath, "%s\\Prefetch\\%s", windir_old, file.first.c_str());
+					sprintf(dstpath, "Prefetch_old\\%s", file.first.c_str());
+					if (StealthGetFile(srcpath, dstpath, osslog, false)) {
+						cerr << msg("取得失敗", "failed to save") << ": " << srcpath << endl;
+					}
+					else {
+						flag = true;
+					}
 				}
-				else {
-					flag = true;
+				// check if the file has ADS or not
+				sprintf(filepath, "%s\\Prefetch\\%s", windir_old, file.first.c_str());
+				auto strms = findstreams(filepath);
+				if (strms.size() > 0) {
+					for (auto strm : strms) {
+						sprintf(srcpath, "%s\\Prefetch\\%s%s", windir_old, file.first.c_str(), strm.first.c_str());
+						sprintf(dstpath, "Prefetch_old\\%s%s", file.first.c_str(), strm.first.c_str());
+						if (StealthGetFile(srcpath, dstpath, osslog, false)) {
+							cerr << msg("取得失敗", "failed to save") << ": " << srcpath << endl;
+						}
+						else {
+							flag = true;
+						}
+					}
 				}
 			}
 			if (flag) {
@@ -1173,7 +1213,7 @@ int main(int argc, char **argv)
 
 	// chack proces name
 	procname = basename(string(argv[0]));
-	cout << msg("CDIR Collector v1.3.3 - 初動対応用データ収集ツール", "CDIR Collector v1.3.3 - Data Acquisition Tool for First Response") << endl;
+	cout << msg("CDIR Collector v1.3.4 - 初動対応用データ収集ツール", "CDIR Collector v1.3.4 - Data Acquisition Tool for First Response") << endl;
 	cout << msg("Cyber Defense Institute, Inc.\n", "Cyber Defense Institute, Inc.\n") << endl;
 
 	// set curdir -> exedir
@@ -1299,6 +1339,7 @@ int main(int argc, char **argv)
 		strncpy(usrvolume, (CASTVAL(string, config->getValue("Target"))).c_str(), 2);
 		strncpy(sysdir, (CASTVAL(string, config->getValue("Target"))).c_str(), 2);
 		strncpy(windir, (CASTVAL(string, config->getValue("Target"))).c_str(), 2);
+		strncpy(backupdir, (CASTVAL(string, config->getValue("Target"))).c_str(), 2);
 		cerr << "Target: " << osvolume << endl;
 	}
 

CDIR/CDIR.rc

@@ -23,7 +23,7 @@
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>CDIR</RootNamespace>
     <ProjectName>cdir-collector</ProjectName>
-    <WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
@@ -36,20 +36,20 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>

CDIR/CDIR.vcxproj

@@ -143,3 +143,37 @@ vector<pair<string, int>> findfiles(string filepath, bool error) {
 
 	return paths;
 }
+
+vector<pair<string, int>> findstreams(const char* cfilepath, bool error) {
+
+	vector<pair<string, int>> paths;
+	WIN32_FIND_STREAM_DATA streamData;
+	HANDLE hfind;
+
+
+	size_t ret;
+	wchar_t wfilepath[MAX_PATH + 1];
+
+	mbstowcs_s(&ret, wfilepath, size_t(MAX_PATH + 1), cfilepath, _TRUNCATE);
+	hfind = FindFirstStreamW(wfilepath, FindStreamInfoStandard, &streamData, 0);
+
+	if (hfind != INVALID_HANDLE_VALUE) {
+		do {
+			char ads[ MAX_PATH + 1 ];
+			//WideCharToMultiByte(CP_ACP, 0, streamData.cStreamName, -1, mtxt, MAX_PATH, NULL, NULL);
+			wcstombs_s(&ret, ads, size_t(MAX_PATH + 1), streamData.cStreamName, _TRUNCATE);
+
+			if ( strcmp( ads, "::$DATA" ) != 0) {
+				// trim last ":$DATA"
+				string ads_str = string(ads).substr(0, string(ads).length() - 6);
+				paths.push_back(pair<string, int>( ads_str, 0 ) );
+			}
+		} while (FindNextStreamW(hfind, &streamData));
+		if (!FindClose(hfind)) {
+			_perror("FindClose");
+		}
+
+	}
+
+	return paths;
+}

CDIR/util.cpp

@@ -16,3 +16,4 @@ string msg(string jp, string en, WORD lang = GetUserDefaultLangID());
 string join(vector<string>, string);
 string hexdump(const unsigned char*, size_t);
 vector<pair<string, int>> findfiles(string, bool error=true);
+vector<pair<string, int>> findstreams(const char* cfilepath, bool error = true);

CDIR/util.h

@@ -22,25 +22,25 @@
     <ProjectGuid>{5E42B778-F231-4797-B7FD-7D5BCA9738D0}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>NTFSParserDLL</RootNamespace>
-    <WindowsTargetPlatformVersion>10.0.17134.0</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
     <CharacterSet>NotSet</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
     <CharacterSet>NotSet</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>NotSet</CharacterSet>
   </PropertyGroup>

NTFSParserDLL/NTFSParserDLL.vcxproj

@@ -31,7 +31,7 @@ https://github.com/CyberDefenseInstitute/CDIR/releases
 
 ## ビルド
 
-ソースコードはVisual Studio 2017で読み込みビルドすることができます。cdir-collectorの構成ファイルは以下の通りです。
+ソースコードはVisual Studio 2019で読み込みビルドすることができます。cdir-collectorの構成ファイルは以下の通りです。
 
 * cdir.ini
 * cdir-collector.exe

README.md

@@ -31,7 +31,7 @@ https://github.com/CyberDefenseInstitute/CDIR/releases
 
 ## Build
 
-If you want to customise and build binary from source code, try to use Visual Studio 2017. 
+If you want to customise and build binary from source code, try to use Visual Studio 2019. 
 
 Component of cdir-collector: 
 * cdir.ini