v1.2.1

Author: 4n6ist

CDIR/CDIR.cpp

@@ -41,6 +41,7 @@
 #pragma comment(lib, "libcrypto-38.lib")
 
 #define CHUNKSIZE 262144
+#define BLOCKSIZE 4096
 
 using namespace std;
 
@@ -264,7 +265,10 @@ int StealthGetFile(char *filepath, char *outpath, ostringstream *osslog = NULL,
 		offset = skipclusters * file->volume->GetClusterSize();
 	}
 
-	if (!WriteWrapper::isLocal() && !(SparseSkip && strcmp(filepath, "C:\\$Extend\\$UsnJrnl:$J") == 0)) { // if using WebDAV and reading file except UsnJrnl
+	char journalpath[MAX_PATH + 1];
+	sprintf(journalpath, "%s\\$Extend\\$UsnJrnl:$J", osvolume);
+
+	if (!WriteWrapper::isLocal() && !(SparseSkip && strcmp(filepath, journalpath) == 0)) { // if using WebDAV and reading file except UsnJrnl
 		if (wfile.sendheader()) {
 			fprintf(stderr, "failed to send header.\n");
 			return -1;
@@ -276,7 +280,7 @@ int StealthGetFile(char *filepath, char *outpath, ostringstream *osslog = NULL,
 		int ret;
 
 		if ((ret = StealthReadFile(file, buf, CHUNKSIZE, offset, &bytesread, &bytesleft, filesize)) != 0) {
-			if(SparseSkip && strcmp(filepath, "C:\\$Extend\\$UsnJrnl:$J") == 0){
+			if(SparseSkip && strcmp(filepath, journalpath) == 0){
 				filesize -= offset;
 				skipclusters = 0;
 				file->data = (CAttrBase*)file->fileRecord->FindNextStream("$J", atrnum);
@@ -304,7 +308,7 @@ int StealthGetFile(char *filepath, char *outpath, ostringstream *osslog = NULL,
 				bytesleft = 1; // To continue loop
 				continue;
 			}
-			else if (offset < filesize) {
+			else if (ret == 4 && offset < filesize) {
 				filesize -= offset;
 				file->data = (CAttrBase*)file->fileRecord->FindNextStream(0,atrnum);
 				if (file->data == NULL) {
@@ -317,6 +321,12 @@ int StealthGetFile(char *filepath, char *outpath, ostringstream *osslog = NULL,
 				bytesleft = 1; // To continue loop
 				continue;
 			}
+			else if (ret == 3) {
+				int adjustsize = CHUNKSIZE;
+				adjustsize -= BLOCKSIZE;
+				while (StealthReadFile(file, buf, adjustsize, offset, &bytesread, &bytesleft, filesize) == 3)
+					adjustsize -= BLOCKSIZE;
+			}
 			else{
 				_perror("Error reading file");
 				printf("filename: %s, offset: %lld\n", filepath, offset);
@@ -345,7 +355,10 @@ int StealthGetFile(char *filepath, char *outpath, ostringstream *osslog = NULL,
 			}
 		}
 		// osfile.write((char*)buf, bytesread);
-		wfile.write((char*)buf, bytesread);
+		if (wfile.write((char*)buf, bytesread) < 0) {
+			fprintf(stderr, "failed to write file.\n");
+			return -1;
+		}
 		offset += bytesread;
 	} while (bytesleft > 0 && offset < filesize);
 
@@ -356,7 +369,9 @@ int StealthGetFile(char *filepath, char *outpath, ostringstream *osslog = NULL,
 	StealthCloseFile(file);
 
 	if (WriteWrapper::isLocal()) {
-		CopyFileTime(filepath, outpath);
+		if (CopyFileTime(filepath, outpath)) {
+			fprintf(stderr, "failed to copy filetime: %s\n", filepath);
+		}
 	}
 
 	if (osslog) {
@@ -562,6 +577,12 @@ int get_analysisdata(ostringstream *osslog = NULL) {
 					cerr << msg("ジャーナル 取得失敗", "failed to save journal") << endl;
 				}
 			}
+			else {
+				cerr << msg("ジャーナル 取得完了", "journal is saved") << endl;
+			}
+		}
+		else {
+			cerr << msg("ジャーナル 取得完了", "journal is saved") << endl;
 		}
 	}
 
@@ -771,7 +792,7 @@ int main(int argc, char **argv)
 
 	// chack proces name
 	procname = basename(string(argv[0]));
-	cout << msg("CDIR Collector v1.2 - 初動対応用データ収集ツール", "CDIR Collector v1.2 - Data Acquisition Tool for First Response") << endl;
+	cout << msg("CDIR Collector v1.2.1 - 初動対応用データ収集ツール", "CDIR Collector v1.2.1 - Data Acquisition Tool for First Response") << endl;
 	cout << msg("Cyber Defense Institute, Inc.\n", "Cyber Defense Institute, Inc.\n") << endl;
 
 	// getting config
@@ -831,7 +852,7 @@ int main(int argc, char **argv)
 		_perror("localtime");
 		__exit(EXIT_FAILURE);
 	}
-	if (!strftime(timestamp, sizeof(timestamp), "%Y%m%d%H%M%S", t) || !strftime(t_beg, sizeof(t_beg), "%Y %m/%d %H:%M:%S", t)) {
+	if (!strftime(timestamp, sizeof(timestamp), "%Y%m%d%H%M%S", t) || !strftime(t_beg, sizeof(t_beg), "%Y/%m/%d %H:%M:%S", t)) {
 		_perror("strftime");
 		__exit(EXIT_FAILURE);
 	}
@@ -888,7 +909,8 @@ int main(int argc, char **argv)
 		_perror("GetCurrentDirectory");
 		__exit(EXIT_FAILURE);
 	}
-	cerr << msg("保存先: ", "Output Directory: ") << outdir << endl;
+	if (WriteWrapper::isLocal())
+		cerr << msg("保存先: ", "Output Directory: ") << outdir << endl;
 
 	// start logging
 	ostringstream ossinfo, osslog;
@@ -974,7 +996,7 @@ int main(int argc, char **argv)
 		_perror("localtime");
 		__exit(EXIT_FAILURE);
 	}
-	if (!strftime(t_end, sizeof(t_end), "%Y %m/%d %H:%M:%S", t)) {
+	if (!strftime(t_end, sizeof(t_end), "%Y/%m/%d %H:%M:%S", t)) {
 		_perror("strftime");
 		__exit(EXIT_FAILURE);
 	}
@@ -1022,7 +1044,9 @@ int main(int argc, char **argv)
 
 	string log_str = ossinfo.str();
 	WriteWrapper log("collector-log.txt", log_str.size());
-	log.sendfile(log_str.c_str());
+	if (log.sendfile(log_str.c_str())) {
+		fprintf(stderr, "failed to save log");
+	}
 	log.close();
 	__exit(EXIT_SUCCESS);
 }

CDIR/CDIR.rc

@@ -69,7 +69,7 @@ WriteWrapper::WriteWrapper(char *_filename, ULONGLONG _filesize, bool isDirector
 				string header = "CONNECT " + address + ":443" + " HTTP/1.1" + "\r\n"
 					+ "Host: " + address + ":443\r\n"
 					+ "\r\n";
-				if (write(header.c_str(), header.length()) != 0) {
+				if (write(header.c_str(), header.length()) > 0) {
 					readuntil("\r\n\r\n");
 				}
 			}
@@ -101,6 +101,10 @@ WriteWrapper::WriteWrapper(char *_filename, ULONGLONG _filesize, bool isDirector
 	}
 	else {
 		osfile.open(filename, ios::out | ios::binary | ios::app);
+		if (osfile.fail() && !isDirectory) {
+			fprintf(stderr, "failed to open %s\n", filename);
+			return;
+		}
 	}
 }
 
@@ -249,7 +253,7 @@ string WriteWrapper::urlencode(string s) {
 void WriteWrapper::mkdir(string dirname) {
 	string header = "MKCOL " + join({uriroot, curdir, WriteWrapper::urlencode(dirname)}, "/") + "/" + " HTTP/1.1" + "\r\n"
 		+ "Host: " + address + ":" + to_string(port) + "\r\n\r\n";
-	if (write(header.c_str(), header.length()) == 0) {
+	if (write(header.c_str(), header.length()) <= 0) {
 		cerr << "write failed" << endl;
 	}
 }
@@ -263,15 +267,21 @@ void WriteWrapper::chdir(string dirname) {
 	}
 }
 
-void WriteWrapper::sendfile(const char *data) {
+int WriteWrapper::sendfile(const char *data) {
+	if (data == NULL) {
+		fprintf(stderr, "data must not be NULL\n");
+		return -1;
+	}
 	if(!isLocal())
 		if (sendheader()) {
 			fprintf(stderr, "failed to send header.\n");
-			return;
+			return -1;
 		}
-	if (write(data, filesize) == 0) {
+	if (write(data, filesize) <= 0) {
 		cerr << "write failed" << endl;
+		return -1;
 	}
+	return 0;
 }
 
 int WriteWrapper::sendheader(ULONGLONG size) {
@@ -285,7 +295,7 @@ int WriteWrapper::sendheader(ULONGLONG size) {
 		+ "Host: " + address + ":" + to_string(port) + "\r\n"
 		+ "Content-Length: " + to_string(filesize) + "\r\n"
 		+ "\r\n";
-	if (write(header.c_str(), header.length())) {
+	if (write(header.c_str(), header.length()) > 0) {
 		isHeaderSent = true;
 		return 0;
 	}
@@ -300,6 +310,9 @@ int WriteWrapper::sendheader(ULONGLONG size) {
 /// <param name="size">書き込むサイズ</param>
 /// <returns>失敗すると-1が返る</returns>
 long long WriteWrapper::write(const char *buf, long long size) {
+	if (buf == NULL) {
+		return -1;
+	}
 	if (status == STATUS_REMOTE) {
 		long long sent = 0;
 		int r;
@@ -330,6 +343,9 @@ long long WriteWrapper::write(const char *buf, long long size) {
 }
 
 long long WriteWrapper::read(char *buf, long long size) {
+	if (buf == NULL) {
+		return -1;
+	}
 	if (status == STATUS_REMOTE) {
 		long long recieved = 0;
 		int r;
@@ -384,10 +400,17 @@ string WriteWrapper::readuntil(string delim) {
 
 void WriteWrapper::close() {
 	if (status == STATUS_REMOTE) {
-		closesocket(sock);
-		WSACleanup();
+		if (closesocket(sock)) {
+			_perror("closesocket");
+		}
+		if (WSACleanup()) {
+			_perror("WSACleanup");
+		}
 	}
 	else {
 		osfile.close();
+		if (osfile.is_open()) {
+			fprintf(stderr, "close failed\n");
+		}
 	}
 }

CDIR/WriteWrapper.cpp

@@ -49,7 +49,7 @@ class WriteWrapper
 	string urlencode(string);
 	void mkdir(string);
 	static void chdir(string);
-	void sendfile(const char *);
+	int sendfile(const char *);
 	int sendheader(ULONGLONG = 0);
 	long long write(const char *, long long);
 	long long read(char *, long long);

CDIR/WriteWrapper.h

@@ -28,13 +28,19 @@ void _perror(char *msg) {
 		cerr << "FormatMessage failed" << endl;
 	}
 	else {
-		cerr << msg << ": " << buf << endl;
+		if (msg)
+			cerr << msg << ": ";
+		cerr << buf << endl;
 	}
 }
 
 void mkdir(char *dirname, bool error) {
 	WriteWrapper dir("", 0, true);
 
+	if (dirname == NULL) {
+		fprintf(stderr, "dirname must not be NULL\n");
+		return;
+	}
 	string dirname_s = string(dirname);
 
 	size_t pos;
@@ -100,6 +106,8 @@ string join(vector<string> vs, string delim) {
 }
 
 string hexdump(const unsigned char *s, size_t size) {
+	if (s == NULL)
+		return "";
 	ostringstream res;
 	for (size_t i = 0; i < size; i++) {
 		res << setw(2) << setfill('0') << hex << (unsigned int)s[i];

CDIR/util.cpp

@@ -169,7 +169,11 @@ extern "C" DWORD __declspec(dllexport) StealthReadFile(FileInfo_t* fileInfo, BYT
 			*dataRemaining = fullDataLength - len - offset;
 			return 0; //Success
 		}
-		return 3;
+		else if (fileInfo->data->ReadData(offset, buffer, 1, &len))
+		{
+			return 3;
+		}
+		return 4;
 	}
 	return 2;
 }

NTFSParserDLL/NTFSParserDLL.cpp

@@ -10,6 +10,7 @@ cdir-collectorは初動対応時のデータ保全を支援するためのツー
 * プリフェッチ
 * イベントログ
 * レジストリ
+* Web(履歴、クッキー)
 
 ## ダウンロード
 

README.md

@@ -10,6 +10,7 @@ cdir-collector is a collection tool for first response. it collects the followin
 * Prefetch
 * EventLog
 * Registry
+* Web(History, Cookie)
 
 ## Download