Skip to content

Commit 2612e35

Browse files
committedMay 5, 2023
OrcCommand: FastFind: add options '/ResurrectRecords', 'resurrect'
1 parent 14caf6d commit 2612e35

11 files changed

+43
-9
lines changed
 

‎src/OrcCommand/Command/FastFind/ConfigFile_FastFind.cpp

+2
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,8 @@ HRESULT Orc::Config::FastFind::filesystem(ConfigItem& parent, DWORD dwIndex)
9999
return hr;
100100
if (FAILED(hr = parent[dwIndex].AddChild(yara, FASTFIND_FILESYSTEM_YARA)))
101101
return hr;
102+
if (FAILED(hr = parent[dwIndex].AddAttribute(L"resurrect", FASTFIND_FILESYSTEM_RESURRECT, ConfigItem::OPTION)))
103+
return hr;
102104
return S_OK;
103105
}
104106

‎src/OrcCommand/Command/FastFind/ConfigFile_FastFind.h

+1
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ constexpr auto FASTFIND_FILESYSTEM_KNOWNLOCATIONS = 1L;
3535
constexpr auto FASTFIND_FILESYSTEM_FILEFIND = 2L;
3636
constexpr auto FASTFIND_FILESYSTEM_EXCLUDE = 3L;
3737
constexpr auto FASTFIND_FILESYSTEM_YARA = 4L;
38+
constexpr auto FASTFIND_FILESYSTEM_RESURRECT = 5L;
3839

3940
constexpr auto FASTFIND_REGISTRY_LOCATIONS = 0L;
4041
constexpr auto FASTFIND_REGISTRY_KNOWNLOCATIONS = 1L;

‎src/OrcCommand/Command/FastFind/FastFind.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -252,7 +252,7 @@ class ORCUTILS_API Main : public UtilitiesMain
252252
bool bAll = false;
253253
WCHAR Volume = 0;
254254

255-
bool bSkipDeleted = true;
255+
bool bResurrect = false;
256256

257257
FileSystemSpec FileSystem;
258258
RegistrySpec Registry;

‎src/OrcCommand/Command/FastFind/FastFindSqlSchema.xml

+3-2
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
<table key="FastFindFileSystem">
66

7-
<utf8 name="ComputerName" maxlen="50" />
7+
<utf8 name="ComputerName" maxlen="50" />
88
<uint64 name="VolumeID" allows_null="no" fmt="0x{:016X}" />
99
<utf16 name="FullName" maxlen="32k" />
1010
<uint64 name="FRN" fmt="0x{:016X}" allows_null="no" />
@@ -27,7 +27,8 @@
2727
<binary name="SHA1" len="20" />
2828
<binary name="SHA256" len="32" fmt="{:02X}"/>
2929

30-
<guid name="SnapshotID" allows_null="no" />
30+
<guid name="SnapshotID" allows_null="no" />
31+
<bool name="RecordInUse" allows_null="no" />
3132

3233
</table>
3334

‎src/OrcCommand/Command/FastFind/FastFind_Config.cpp

+13-1
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@
1010

1111
#include <string>
1212

13+
#include <boost/algorithm/string.hpp>
14+
1315
#include "FastFind.h"
1416

1517
#include "SystemDetails.h"
@@ -182,6 +184,11 @@ HRESULT Main::GetConfigurationFromConfig(const ConfigItem& configitem)
182184

183185
config.Yara = std::make_unique<YaraConfig>(std::move(*yaraConfig));
184186
}
187+
188+
if (filesystem[FASTFIND_FILESYSTEM_RESURRECT])
189+
{
190+
config.bResurrect = boost::iequals(filesystem[FASTFIND_FILESYSTEM_RESURRECT].c_str(), L"yes");
191+
}
185192
}
186193

187194
if (configitem[FASTFIND_REGISTRY])
@@ -314,13 +321,18 @@ HRESULT Main::GetConfigurationFromArgcArgv(int argc, LPCWSTR argv[])
314321

315322
for (int i = 0; i < argc; i++)
316323
{
324+
bool bSkipDeleted = false;
317325
switch (argv[i][0])
318326
{
319327
case L'/':
320328
case L'-':
321329
if (ProcessPriorityOption(argv[i]))
322330
;
323-
else if (BooleanOption(argv[i] + 1, L"SkipDeleted", config.bSkipDeleted))
331+
else if (BooleanOption(argv[i] + 1, L"SkipDeleted", bSkipDeleted))
332+
{
333+
config.bResurrect = !bSkipDeleted;
334+
}
335+
else if (BooleanOption(argv[i] + 1, L"ResurrectRecords", config.bResurrect))
324336
;
325337
else if (ShadowsOption(
326338
argv[i] + 1, L"Shadows", config.FileSystem.bAddShadows, config.FileSystem.m_shadows))

‎src/OrcCommand/Command/FastFind/FastFind_Run.cpp

+3-1
Original file line numberDiff line numberDiff line change
@@ -271,7 +271,8 @@ HRESULT Main::RunFileSystem()
271271

272272
return;
273273
},
274-
true);
274+
true,
275+
config.bResurrect);
275276

276277
if (FAILED(hr))
277278
{
@@ -308,6 +309,7 @@ HRESULT Main::RunRegistry()
308309
aFileMatch->MatchingNames.front().FullPathName,
309310
aFileMatch->Term->GetDescription());
310311
},
312+
false,
311313
false);
312314

313315
if (FAILED(hr))

‎src/OrcCommand/Command/GetThis/GetThis_Run.cpp

+1
Original file line numberDiff line numberDiff line change
@@ -1430,6 +1430,7 @@ HRESULT Main::FindMatchingSamples()
14301430
hr = FileFinder.Find(
14311431
config.Locations,
14321432
std::bind(&Main::OnMatchingSample, this, std::placeholders::_1, std::placeholders::_2),
1433+
false,
14331434
false);
14341435

14351436
if (FAILED(hr))

‎src/OrcLib/FileFind.cpp

+11-2
Original file line numberDiff line numberDiff line change
@@ -382,6 +382,8 @@ HRESULT FileFind::Match::Write(ITableOutput& output)
382382

383383
output.WriteGUID(SnapshotID);
384384

385+
output.WriteBool(!DeletedRecord);
386+
385387
output.WriteEndOfLine();
386388
}
387389
}
@@ -424,6 +426,8 @@ HRESULT FileFind::Match::Write(ITableOutput& output)
424426

425427
output.WriteGUID(SnapshotID);
426428

429+
output.WriteBool(!DeletedRecord);
430+
427431
output.WriteEndOfLine();
428432
}
429433
}
@@ -443,6 +447,7 @@ HRESULT FileFind::Match::Write(IStructuredOutput& pWriter, LPCWSTR szElement)
443447
{
444448
LARGE_INTEGER* pLI = (LARGE_INTEGER*)&FRN;
445449
pWriter.WriteNamed(L"frn", (ULONGLONG)pLI->QuadPart, true);
450+
pWriter.WriteNamed(L"record_in_use", DeletedRecord ? "N" : "Y", true);
446451

447452
pWriter.WriteNamed(L"volume_id", VolumeReader->VolumeSerialNumber(), true);
448453

@@ -4285,7 +4290,11 @@ HRESULT FileFind::ExcludeMatch(const std::shared_ptr<Match>& aMatch)
42854290
return S_FALSE;
42864291
}
42874292

4288-
HRESULT FileFind::Find(const LocationSet& locations, FileFind::FoundMatchCallback aCallback, bool bParseI30Data)
4293+
HRESULT FileFind::Find(
4294+
const LocationSet& locations,
4295+
FileFind::FoundMatchCallback aCallback,
4296+
bool bParseI30Data,
4297+
bool bResurrectRecords)
42894298
{
42904299
HRESULT hr = E_FAIL;
42914300

@@ -4319,7 +4328,7 @@ HRESULT FileFind::Find(const LocationSet& locations, FileFind::FoundMatchCallbac
43194328

43204329
m_pVolReader = aLoc->GetReader();
43214330

4322-
if (FAILED(hr = walk.Initialize(aLoc, false)))
4331+
if (FAILED(hr = walk.Initialize(aLoc, bResurrectRecords)))
43234332
{
43244333
if (hr == HRESULT_FROM_WIN32(ERROR_FILE_SYSTEM_LIMITATION))
43254334
{

‎src/OrcLib/FileFind.h

+2-1
Original file line numberDiff line numberDiff line change
@@ -506,7 +506,8 @@ class FileFind
506506
HRESULT AddExcludeTermsFromConfig(const ConfigItem& items);
507507
HRESULT AddExcludeTerm(const std::shared_ptr<SearchTerm>& FindSpec);
508508

509-
HRESULT Find(const LocationSet& locations, FoundMatchCallback aCallback, bool bParseI30Data);
509+
HRESULT
510+
Find(const LocationSet& locations, FoundMatchCallback aCallback, bool bParseI30Data, bool bResurrectRecords);
510511

511512
const std::vector<std::shared_ptr<Match>>& Matches() const { return m_Matches; }
512513

‎src/OrcLib/HiveQuery.cpp

+1
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ HRESULT HiveQuery::BuildStreamList()
4646
}
4747
}
4848
},
49+
false,
4950
false);
5051

5152
if (FAILED(hr))

‎src/OrcLib/USNJournalWalkerOffline.cpp

+5-1
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,7 @@ HRESULT USNJournalWalkerOffline::Initialize(const std::shared_ptr<Location>& loc
8585
Log::Error("Failed to find USN journal data attribute");
8686
}
8787
},
88+
false,
8889
false)))
8990
{
9091
Log::Error("Failed to parse location while searching for USN journal");
@@ -180,7 +181,10 @@ HRESULT USNJournalWalkerOffline::ReadJournal(const IUSNJournalWalker::Callbacks&
180181
if (pChunk == nullptr)
181182
return E_OUTOFMEMORY;
182183

183-
BOOST_SCOPE_EXIT(&pChunk) { HeapFree(GetProcessHeap(), 0, pChunk); }
184+
BOOST_SCOPE_EXIT(&pChunk)
185+
{
186+
HeapFree(GetProcessHeap(), 0, pChunk);
187+
}
184188
BOOST_SCOPE_EXIT_END;
185189

186190
if (S_OK == m_USNJournal->CanRead())

0 commit comments

Comments
 (0)
Please sign in to comment.