CyberDefenseInstitute
diff --git a/‎CDIR/CDIR.cpp
+18-10 b/‎CDIR/CDIR.cpp
+18-10
diff --git a/‎CDIR/CDIR.rc
+5-5 b/‎CDIR/CDIR.rc
+5-5
diff --git a/‎CDIR/cdir.ini
+1 b/‎CDIR/cdir.ini
+1
diff --git a/‎CDIR/winpmem-2.1.post4.exe
-2.15 MB b/‎CDIR/winpmem-2.1.post4.exe
-2.15 MB
diff --git a/‎CDIR/winpmem.exe
-2.35 MB b/‎CDIR/winpmem.exe
-2.35 MB
diff --git a/‎CDIR/winpmem_x64.exe
515 KB b/‎CDIR/winpmem_x64.exe
515 KB
diff --git a/‎CDIR/winpmem_x86.exe
212 KB b/‎CDIR/winpmem_x86.exe
212 KB
diff --git a/‎README.md
+3-4 b/‎README.md
+3-4
diff --git a/‎README_en.md
+3-4 b/‎README_en.md
+3-4
@@ -1,5 +1,5 @@
 /*
- * Copyright(C) 2019 Cyber Defense Institute, Inc.
+ * Copyright(C) 2022 Cyber Defense Institute, Inc.
  *
  * This program/include file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as published
@@ -580,25 +580,27 @@ int get_pagefilepath(char *ret) {
 int get_memdump(bool is_x64, char *computername, char *pagefilepath) {
 	// winpmem	
 	char tmp[256];
+	char* winpmem_exe_name;
 	DWORD status;
 
 	if (computername == NULL) {
 		fprintf(stderr, "computername is NULL.\n");
 		return -1;
 	}
+	if (is_x64 == true)
+		winpmem_exe_name = "winpmem_x64.exe";
+	else
+		winpmem_exe_name = "winpmem_x86.exe";
+
 	if (config->isSet("MemoryDumpCmdline"))
 		sprintf(tmp, "%s\\%s", exedir, (CASTVAL(string, config->getValue("MemoryDumpCmdline"))).c_str());
 	else
-		sprintf(tmp, "%s\\winpmem.exe -dd --output RAM_%s.aff4 -t", exedir, computername);
-
+		sprintf(tmp, "%s\\%s RAM_%s.raw", exedir, winpmem_exe_name, computername);
+	
 	if (launchprocess(tmp, &status)) {
 		return -1;
 	}
-
-	// for pagefile.sys acquisition
-	//	sprintf(tmp, "..\\winpmem.exe -dd -p %s -o RAM_%s.aff4 -t", pagefilepath + 4, computername);
-	//	launchprocess(tmp);
-
+	
 	return 0;
 }
 
@@ -1216,6 +1218,7 @@ int main(int argc, char **argv)
 	uint64_t time_diff;
 	struct tm *t;
 	SYSTEM_INFO sysinfo;
+	char* winpmem_exe_name;
 
 	sprintf(dllpath, "%s\\NTFSParserDLL.dll", dirname(string(argv[0])).c_str());
 	if ((hNTFSParserdll = LoadLibrary(dllpath)) == NULL) {
@@ -1234,7 +1237,7 @@ int main(int argc, char **argv)
 
 	// chack proces name
 	procname = basename(string(argv[0]));
-	cout << msg("CDIR Collector v1.3.5 - 初動対応用データ収集ツール", "CDIR Collector v1.3.5 - Data Acquisition Tool for First Response") << endl;
+	cout << msg("CDIR Collector v1.3.6 - 初動対応用データ収集ツール", "CDIR Collector v1.3.6 - Data Acquisition Tool for First Response") << endl;
 	cout << msg("Cyber Defense Institute, Inc.\n", "Cyber Defense Institute, Inc.\n") << endl;
 
 	// set curdir -> exedir
@@ -1442,9 +1445,14 @@ int main(int argc, char **argv)
 		}
 	}
 
+	if (is_x64 == true)
+		winpmem_exe_name = "winpmem_x64.exe";
+	else
+		winpmem_exe_name = "winpmem_x86.exe";
+
 
 	if (param_memdump) {
-		if (!(config->isSet("MemoryDumpCmdline")) && filecheck((char*)((string)exedir + "\\winpmem.exe").c_str())) {
+		if (!(config->isSet("MemoryDumpCmdline")) && filecheck((char*)((string)exedir + "\\" + winpmem_exe_name).c_str())) {
 			cerr << msg("メモリダンプ用プログラムがありません",
 				"No memory dump program found") << endl;
 		}
 
@@ -62,8 +62,8 @@ IDI_ICON1               ICON                    "collector.ico"
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,3,5,0
- PRODUCTVERSION 1,3,5,0
+ FILEVERSION 1,3,6,0
+ PRODUCTVERSION 1,3,6,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -80,12 +80,12 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "Cyber Defense Institute, Inc."
             VALUE "FileDescription", "Data Collection Tool for Incident Response"
-            VALUE "FileVersion", "1.3.5.0"
+            VALUE "FileVersion", "1.3.6.0"
             VALUE "InternalName", "cdir-collector.exe"
-            VALUE "LegalCopyright", "Copyright (C) 2020 Cyber Defense Institute"
+            VALUE "LegalCopyright", "Copyright (C) 2022 Cyber Defense Institute"
             VALUE "OriginalFilename", "cdir-collector.exe"
             VALUE "ProductName", "CDIR Collector"
-            VALUE "ProductVersion", "1.3.5.0"
+            VALUE "ProductVersion", "1.3.6.0"
         END
     END
     BLOCK "VarFileInfo"
 
@@ -9,6 +9,7 @@ WMI = true
 SRUM = true
 Web = true
 ;Target = G:\
+;MemoryDumpCmdline = winpmem_v3.3.rc3.exe -dd --output RAM.aff4
 ;MemoryDumpCmdline = winpmem-2.1.post4.exe --output RAM.aff4
 ;MemoryDumpCmdline = DumpIt.exe /Q /N /T DMP /O RAM.dmp
 ;MemoryDumpCmdline = RamCapture64.exe RAM.raw
 
@@ -39,8 +39,8 @@ https://github.com/CyberDefenseInstitute/CDIR/releases
 * NTFSParserDLL.dll
 * libcrypto-41.dll
 * libssl-43.dll
-* winpmem.exe
-* winpmem-2.1.post4.exe
+* winpmem_x64.exe
+* winpmem_x86.exe
 
 ## 使い方
 
@@ -55,5 +55,4 @@ cdir-collectorは以下のライブラリ、ツールを活用しています。
 * ライブラリ: NTFSParserDLL, LibreSSL
 * ツール: winpmem
 
-winpmem.exeはc-aff4プロジェクト (https://github.com/Velocidex/c-aff4) で提供されているWindows用のメモリ保全プログラムです。
-winpmem-2.1.post4.exeはwinpmem.exeの過去バージョンでrekallプロジェクト (https://github.com/google/rekall) で提供されているプログラムです。
+winpmem_x64.exe、winpmem_x86.exeはWinPmemプロジェクト (https://github.com/Velocidex/WinPmem) で提供されているWindows用のメモリ保全プログラムです。
@@ -40,8 +40,8 @@ Component of cdir-collector:
 * NTFSParserDLL.dll
 * libcrypto-41.dll
 * libssl-43.dll
-* winpmem.exe
-* winpmem-2.1.post4.exe
+* winpmem_x64.exe
+* winpmem_x86.exe
 
 ## How to use
 
@@ -57,5 +57,4 @@ cdir-collector depends on the following library/tools.
 * Library: NTFSParserDLL, LibreSSL
 * Tool: winpmem
 
-winpmem.exe is a part of c-aff4 project (https://github.com/Velocidex/c-aff4). 
-winpmem-2.1.post4.exe is a part of rekall project (https://github.com/google/rekall).
+winpmem_x64.exe and winpmem_x86.exe are parts of winpmem project (https://github.com/Velocidex/WinPmem).