forked from DFIR-ORC/dfir-orc.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathresources.html
242 lines (221 loc) · 12.5 KB
/
resources.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Referencing Resources in Configurations — DFIR ORC documentation</title>
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/solar.css" type="text/css" />
<link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
<script id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script src="_static/jquery.js"></script>
<script src="_static/underscore.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/language_data.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="DFIR ORC Command-line Options" href="cli_options.html" />
<link rel="prev" title="Configuration" href="configuration.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="cli_options.html" title="DFIR ORC Command-line Options"
accesskey="N">next</a>
<li class="right" >
<a href="configuration.html" title="Configuration"
accesskey="P">previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="configuration.html" accesskey="U">Configuration</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/logo.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="configuration.html">Configuration</a><ul class="current">
<li class="toctree-l2 current"><a class="current reference internal" href="#">Referencing Resources in Configurations</a></li>
<li class="toctree-l2"><a class="reference internal" href="cli_options.html">DFIR ORC Command-line Options</a></li>
<li class="toctree-l2"><a class="reference internal" href="wolf_config.html">WolfLauncher Configuration File</a></li>
<li class="toctree-l2"><a class="reference internal" href="ToolEmbed.html">ToolEmbed</a></li>
<li class="toctree-l2"><a class="reference internal" href="orc_local_config.html">DFIR ORC Local Configuration File</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a></li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" />
<input type="submit" value="Go" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="referencing-resources-in-configurations">
<h1>Referencing Resources in Configurations<a class="headerlink" href="#referencing-resources-in-configurations" title="Permalink to this headline">¶</a></h1>
<div class="section" id="syntax">
<h2>Syntax<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2>
<p>The section <a class="reference internal" href="architecture.html#architecture-config-process"><span class="std std-ref">Configuration Process</span></a> explains the embedding of tools as resources of configured and unconfigured binaries.
To reference an embedded resource, Mothership and WolfLauncher use the syntax below. Configuration files rely on these notations.</p>
<ul>
<li><p>For a resource directly available “in clear text” (as opposed to inside an archive like 7zip or cab):</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">res</span><span class="p">:</span><span class="c1">#ressource_name</span>
</pre></div>
</div>
<p>For example, the string <code class="docutils literal notranslate"><span class="pre">res:#getthis_evt</span></code> references the resource named getthis_evt in the Embed configuration file for Mothership. Such a resource is created by the following <a class="reference internal" href="ToolEmbed.html"><span class="doc">ToolEmbed</span></a> XML configuration:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o"><</span><span class="n">file</span> <span class="n">name</span><span class="o">=</span><span class="s2">"getthis_evt"</span> <span class="n">path</span><span class="o">=</span><span class="s2">".\%ORC_CONFIG_FOLDER%\GetEvents_config.xml"</span><span class="o">/></span>
</pre></div>
</div>
<p>See <a class="reference internal" href="ToolEmbed.html"><span class="doc">ToolEmbed</span></a> for more examples.</p>
</li>
<li><p>To reference a resource via an entry into an archive embedded in Mothership:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">archive_format</span><span class="p">:</span><span class="c1">#archive_name|resource_name</span>
</pre></div>
</div>
<p>For example, the string <code class="docutils literal notranslate"><span class="pre">7z:#Tools|autorunsc.exe</span></code> will reference the resource autorunsc.exe in the 7zip archive named Tools. Such a resource is created by the following <a class="reference internal" href="ToolEmbed.html"><span class="doc">ToolEmbed</span></a> XML configuration:</p>
<blockquote>
<div><div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><archive</span> <span class="na">name=</span><span class="s">"Tools"</span> <span class="na">format=</span><span class="s">"7z"</span> <span class="na">compression=</span><span class="s">"Ultra"</span><span class="nt">></span>
<span class="nt"><file</span> <span class="na">name=</span><span class="s">"autorunsc.exe"</span> <span class="na">path=</span><span class="s">".\tools\autorunsc.exe"</span><span class="nt">/></span>
<span class="nt"></archive></span>
</pre></div>
</div>
</div></blockquote>
<p>See <a class="reference internal" href="ToolEmbed.html"><span class="doc">ToolEmbed</span></a> for more examples.</p>
</li>
<li><p>Lastly, it is possible to invoke one of the embedded tools, e.g. NTFSInfo, by writing <code class="docutils literal notranslate"><span class="pre">run=self:#NTFSInfo</span></code>. The <code class="docutils literal notranslate"><span class="pre">self:#</span></code> string
refers to the unconfigured binary used to run WolfLauncher, e.g. <code class="docutils literal notranslate"><span class="pre">DFIR-Orc_x86.exe</span></code>. Thus, when <code class="docutils literal notranslate"><span class="pre">run=self:#NTFSInfo</span></code> is used
in configurations, WolfLauncher creates a new process using its unconfigured binary, <code class="docutils literal notranslate"><span class="pre">DFIR-Orc_x86.exe</span></code> in our example, and passes it
the name of the tool as argument. Hence, the command line of the new process would be <code class="docutils literal notranslate"><span class="pre">DFIR-Orc_x86.exe</span> <span class="pre">NTFSInfo</span></code>, with maybe other arguments added in the configuration. As explained in <a class="reference internal" href="architecture.html#architecture-tools-cli"><span class="std std-ref">Tools Invoked Directly From Command-line</span></a>, such a line runs the embedded tool NTFSInfo.</p></li>
</ul>
</div>
<div class="section" id="well-known-resources-or-variables">
<h2>Well-known Resources or Variables<a class="headerlink" href="#well-known-resources-or-variables" title="Permalink to this headline">¶</a></h2>
<p>Below are listed well-known resources and variables defined in DFIR ORC.</p>
<table class="colwidths-given docutils align-default">
<colgroup>
<col style="width: 25%" />
<col style="width: 50%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="row-odd"><th class="head"><p>Name</p></th>
<th class="head"><p>Description</p></th>
<th class="head"><p>Typical content</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><p>WOLFLAUNCHER_CONFIG</p></td>
<td><p>Default DFIR ORC configuration to execute</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>WOLFLAUNCHER_SQLSCHEMA</p></td>
<td><p>DFIR ORC output’s schema</p></td>
<td><p>WolfLauncherSqlSchema.xml</p></td>
</tr>
<tr class="row-even"><td><p>FASTFIND_SQLSCHEMA</p></td>
<td><p>DFIR ORC output’s schema</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>GETSAMPLES_SQLSCHEMA</p></td>
<td><p>GetSamples output’s schema</p></td>
<td><p>GetSamplesSchema.xml</p></td>
</tr>
<tr class="row-even"><td><p>GETTHIS_SQLSCHEMA</p></td>
<td><p>GetThis output’s schema</p></td>
<td><p>GetThisSqlSchema.xml</p></td>
</tr>
<tr class="row-odd"><td><p>IMPORTCSV_SQLSCHEMA</p></td>
<td><p>ImportCSV output’s schema</p></td>
<td><p>empty</p></td>
</tr>
<tr class="row-even"><td><p>REGINFO_SQLSCHEMA</p></td>
<td><p>RegInfo output’s schema</p></td>
<td><p>RegInfoSqlSchema.xml</p></td>
</tr>
<tr class="row-odd"><td><p>USNINFO_SQLSCHEMA</p></td>
<td><p>USNInfo output’s schema</p></td>
<td><p>USNInfoSqlSchema.xml</p></td>
</tr>
<tr class="row-even"><td><p>NTFSINFO_SQLSCHEMA</p></td>
<td><p>NTFSInfo output’s schema</p></td>
<td><p>NTFSInfoSqlSchema.xml</p></td>
</tr>
<tr class="row-odd"><td><p>TOOLEMBED_SQLSCHEMA</p></td>
<td><p>ToolEmbed output’s schema</p></td>
<td><p>empty</p></td>
</tr>
<tr class="row-even"><td><p>OBJINFO_SCHEMA</p></td>
<td><p>ObjInfo output’s schema</p></td>
<td><p>ObjInfoSchema.xml</p></td>
</tr>
<tr class="row-odd"><td><p>DBGHELP_X86DLL</p></td>
<td><p>Reference to the x86 dbgeng.dll resource</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>DBGHELP_X64DLL</p></td>
<td><p>Reference to the x64 dbgeng.dll resource</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>XMLLITE_X86DLL</p></td>
<td><p>XmlLite is missing on XP SP2. We embark it and this is the reference to it.</p></td>
<td><p>res:#XMLLITE_X86_XPSP2</p></td>
</tr>
<tr class="row-even"><td><p>XMLLITE_X86_XPSP2</p></td>
<td><p>This is XP SP2’s redistribution of xmllite.dll</p></td>
<td><p>..\XmlLite\xmllite.dll</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="cli_options.html" title="DFIR ORC Command-line Options"
>next</a>
<li class="right" >
<a href="configuration.html" title="Configuration"
>previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="configuration.html" >Configuration</a> »</li>
</ul>
</div>
<script type="text/javascript">
$(document).ready(function() {
$(".toggle > *").hide();
$(".toggle .header").show();
$(".toggle .header").click(function() {
$(this).parent().children().not(".header").toggle(400);
$(this).parent().children(".header").toggleClass("open");
})
});
</script>
</body>
</html>