Make fastfind package
lprat opened this issue · 1 comments
lprat commented
Hi,
I would like to make a fastfind package.
I tried differents ways:
First way (tried to call self fastfind):
DFIR-ORC_embed.xml:
<?xml version="1.0" encoding="utf-8"?>
<toolembed>
<input>.\tools\DFIR-Orc_x86.exe</input>
<output>.\output\%ORC_OUTPUT%</output>
<run32 args="WolfLauncher">self:#</run32>
<run64 args="WolfLauncher">7z:#Tools|DFIR-Orc_x64.exe</run64>
<file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\DFIR-ORC_config.xml"/>
<file name="ruleset.yara" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara"/>
<file name="fastfind.xml" path=".\%ORC_CONFIG_FOLDER%\fastfind.xml"/>
<archive name="Tools" format="7z" compression="Ultra">
<file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>
</archive>
</toolembed>
DFIR-ORC_config.xml:
DFIR-ORC_config.xml:
<?xml version="1.0" encoding="utf-8"?>
<wolf childdebug="no" command_timeout="600">
<command keyword="FastFind">
<execute name="DFIR-Orc.exe" run="self:#FastFind"/>
<argument>/config=res:#fastfind.xml</argument>
<output name="FastFind_{SystemType}_{FullComputerName}_{TimeStamp}.log" source="File" argument="/out={FileName}"/>
</command>
</wolf>
Second way (tried to call directly ORC with fastfind config):
DFIR-ORC_embed.xml:
<?xml version="1.0" encoding="utf-8"?>
<toolembed>
<input>.\tools\DFIR-Orc_x86.exe</input>
<output>.\output\%ORC_OUTPUT%</output>
<run32 args="WolfLauncher">self:#</run32>
<run64 args="WolfLauncher">7z:#Tools|DFIR-Orc_x64.exe</run64>
<file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\fastfind.xml"/>
<file name="ruleset.yara" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara"/>
<archive name="Tools" format="7z" compression="Ultra">
<file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>
</archive>
</toolembed>
fastfind.xml (from eg in your doc)
<fastfind version="Test 2.0">
<filesystem>
<location shadows="yes">%SystemDrive%</location>
<yara source="res:#ruleset.yara" block="2M" timeout="120" overlap="8192" scan_method="filemapping" />
<ntfs_find size="694160" md5="1CECAFE147F1CC3E2B9804B8CDA593C9"/>
<ntfs_find name_match="gdi*.dll"/>
<ntfs_exclude path="\Windows\System32\ntdll.dll"/>
<ntfs_exclude path_match="\Windows\System32\gdi*.dll"/>
<ntfs_exclude sha1="c766364efd9c9b5aa3a7140a69f0cf5b147bc476"/>
<ntfs_exclude size="14966411"/>
<ntfs_exclude contains="bcryptprimitives.pdb"/>
</filesystem>
<registry>
<location>%SystemDrive%\</location>
<hive name="NTUSER">
<ntfs_find name="NTUSER.DAT"/>
<registry_find key_path="\Software\Microsoft\Internet Explorer\Main" value="Check_Associations" data="no"/>
</hive>
<hive name="SOFTWARE">
<ntfs_find name="SOFTWARE"/>
<registry_find key_path="\Microsoft\Windows\CurrentVersion\Run" value="SecurityHealth"/>
</hive>
</registry>
<object>
<object_find type="Mutant" name="foo"/>
<object_find type="File" name="foobar"/>
</object>
</fastfind>
In all case, build work but when i launch ORC_packaged.exe, execution return error because WOLFLAUNCHER_CONFIG file dont correct format...
Can you give me eg of config please?
Thanks.
Lionel
lprat commented
Sorry i found correct config:
<?xml version="1.0" encoding="utf-8"?>
<toolembed>
<input>.\tools\DFIR-Orc_x86.exe</input>
<output>.\output\%ORC_OUTPUT%</output>
<run32 args="FastFind /config=res:#fastfind.xml /out=FastFind_{SystemType}_{FullComputerName}_{TimeStamp}.log">self:#</run32>
<run64 args="FastFind /config=res:#fastfind.xml /out=FastFind_{SystemType}_{FullComputerName}_{TimeStamp}.log">7z:#Tools|DFIR-Orc_x64.exe</run64>
<file name="ruleset.yara" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara"/>
<file name="fastfind.xml" path=".\%ORC_CONFIG_FOLDER%\fastfind.xml"/>
<archive name="Tools" format="7z" compression="Ultra">
<file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>
</archive>
</toolembed>