Merge pull request #259 from ION28/develop

Merge Develop to Master for v0.4.2-alpha

Author: Jake Smith

.github/workflows/main.yml

@@ -20,13 +20,22 @@ jobs:
     runs-on: windows-latest
 
     steps:
-    - uses: actions/checkout@v1
+    - uses: actions/checkout@v2
 
     - name: Setup NuGet.exe
       uses: warrenbuckley/Setup-Nuget@v1
 
     - name: Update submodules
-      run: git submodule update --init --recursive --remote
+      run: git submodule update --init --recursive
+
+    - name: Install vcpkg
+      shell: powershell
+      run: |
+        cd vcpkg
+        .\bootstrap-vcpkg.bat
+        .\vcpkg.exe install yara:${{ matrix.buildarch }}-windows-static
+        .\vcpkg.exe integrate install
+        cd ..
 
     - name: Download NuGet packages
       run: nuget restore BLUESPAWN.sln
@@ -40,14 +49,6 @@ jobs:
       run: powershell set-executionpolicy Unrestricted
       shell: powershell
 
-    - name: Run Atomic Red Team Prep Script
-      run: testing\run-atomic-prep.ps1
-      shell: powershell
-
-    - name: Run Atomic Red Team Tests
-      run: testing\run-atomic-tests.ps1
-      shell: powershell
-
     - name: Run BLUESPAWN Hunt
       run: artifacts\${{ matrix.buildarch }}\${{ matrix.buildtype }}\BLUESPAWN-client.exe --hunt -l Normal --log=xml --reaction=log
       shell: cmd
@@ -56,20 +57,11 @@ jobs:
       run: Get-ChildItem "bluespawn*.xml" | Rename-Item -NewName BLUESPAWNHuntResults.xml
       shell: powershell
 
-    - name: TESTS - Check BLUESPAWN Hunt Results against Atomic Red Team Results
-      run: testing\run-hunt-results-comparison.ps1
-      shell: powershell
-
     - uses: actions/upload-artifact@master
       with:
         name: BLUESPAWN-client-${{ matrix.buildarch }}-${{ matrix.buildtype }}
         path: artifacts\${{ matrix.buildarch }}\${{ matrix.buildtype }}\BLUESPAWN-client.exe
 
-    - uses: actions/upload-artifact@master
-      with:
-        name: AtomicTestsResults-${{ matrix.buildarch }}-${{ matrix.buildtype }}.csv
-        path: AtomicTestsResults.csv
-
     - uses: actions/upload-artifact@master
       with:
         name: BLUESPAWNHuntResults-${{ matrix.buildarch }}-${{ matrix.buildtype }}.xml

.gitignore

@@ -2,6 +2,7 @@
 build/
 artifacts/
 packages/
+vcpkg/
 BLUESPAWN-client/external/
 BLUESPAWN-client/resources/severe
 BLUESPAWN-client/resources/indicators

.gitmodules

@@ -16,3 +16,6 @@
 [submodule "BLUESPAWN-client/external/tinyxml2"]
 	path = BLUESPAWN-client/external/tinyxml2
 	url = https://github.com/leethomason/tinyxml2
+[submodule "vcpkg"]
+	path = vcpkg
+	url = https://github.com/Microsoft/vcpkg.git

BLUESPAWN-client/BLUESPAWN-client.vcxproj

@@ -261,9 +261,6 @@
     <ProjectReference Include="..\BLUESPAWN-common\CommonLib.vcxproj">
       <Project>{25ae1d80-3e17-4e1d-bfb4-8afb375ebaf1}</Project>
     </ProjectReference>
-    <ProjectReference Include="libyara.vcxproj">
-      <Project>{e236ce39-d8f3-4db6-985c-f2794ff17746}</Project>
-    </ProjectReference>
     <ProjectReference Include="pe-sieve.vcxproj">
       <Project>{bec01f8e-5892-3f6f-a741-5bbd1d0f4ef9}</Project>
     </ProjectReference>
@@ -280,16 +277,22 @@
       <Path>$(SolutionDir)build\$(PlatformTarget)\$(Configuration)\$(MSBuildProjectName).log</Path>
     </BuildLog>
     <ClCompile>
-      <AdditionalIncludeDirectories>$(SolutionDir)BLUESPAWN-client\external\yara\libyara\include;$(SolutionDir)BLUESPAWN-client\external\pe-sieve\include;$(SolutionDir)BLUESPAWN-client\external\krabsetw\krabs;$(SolutionDir)BLUESPAWN-client\external\cxxopts\include;$(SolutionDir)BLUESPAWN-client\external\boost;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)BLUESPAWN-client\external\pe-sieve\include;$(SolutionDir)BLUESPAWN-client\external\cxxopts\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">MultiThreaded</RuntimeLibrary>
+      <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Release|x64'">MultiThreaded</RuntimeLibrary>
+      <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">MultiThreadedDebug</RuntimeLibrary>
+      <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">MultiThreadedDebug</RuntimeLibrary>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>Secur32.lib;DbgHelp.lib;Wintrust.lib;Shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>Secur32.lib;DbgHelp.lib;Wintrust.lib;ws2_32.lib;Crypt32.lib;Shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <PropertyGroup Label="Globals">
     <ProjectGuid>{159B2E72-9553-4E17-9BEC-CB92FCA8D0B0}</ProjectGuid>
     <RootNamespace>CommonLib</RootNamespace>
     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+    <VcpkgTriplet Condition="'$(Platform)'=='Win32'">x86-windows-static</VcpkgTriplet>
+    <VcpkgTriplet Condition="'$(Platform)'=='x64'">x64-windows-static</VcpkgTriplet>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Label="Configuration">

BLUESPAWN-client/external/pe-sieve

@@ -37,35 +37,70 @@ namespace Registry {
 
 	extern REG_MULTI_SZ_CHECK CheckMultiSzSubset;
 	extern REG_MULTI_SZ_CHECK CheckMultiSzExclusion;
-	extern REG_MULTI_SZ_CHECK CheckMultiSzEmpty;
+	extern REG_MULTI_SZ_CHECK CheckMultiSzEmpty; 
 
 	/**
 	 * A container class for registry values and associated data.
 	 */
 	struct RegistryCheck {
-		RegistryValue value;
-		bool MissingBad;
+		std::wstring name;
+		
+		RegistryType type;
+		RegistryData value;
+		std::variant<REG_SZ_CHECK, REG_DWORD_CHECK, REG_BINARY_CHECK, REG_MULTI_SZ_CHECK> check;
 
-		REG_SZ_CHECK wCheck;
-		REG_DWORD_CHECK dwCheck;
-		REG_BINARY_CHECK lpCheck;
-		REG_MULTI_SZ_CHECK vCheck;
+		bool MissingBad;
 
-		RegistryCheck(const std::wstring& wValueName, RegistryType type, const std::wstring& wData, bool MissingBad = false,
-			const REG_SZ_CHECK& check = CheckSzEqual);
-		RegistryCheck(const std::wstring& wValueName, RegistryType type, const DWORD dwData, bool MissingBad = false,
-			const REG_DWORD_CHECK& check = CheckDwordEqual);
-		RegistryCheck(const std::wstring& wValueName, RegistryType type, const AllocationWrapper& lpData, bool MissingBad = false,
-			const REG_BINARY_CHECK& check = CheckBinaryEqual);
-		RegistryCheck(const std::wstring& wValueName, RegistryType type, const std::vector<std::wstring>& wData, bool MissingBad = false,
+		RegistryCheck(std::wstring&& wValueName, std::wstring&& wData, bool MissingBad = false, const REG_SZ_CHECK& check = CheckSzEqual);
+		RegistryCheck(std::wstring&& wValueName, DWORD&& dwData, bool MissingBad = false, const REG_DWORD_CHECK& check = CheckDwordEqual);
+		RegistryCheck(std::wstring&& wValueName, AllocationWrapper&& lpData, bool MissingBad = false, const REG_BINARY_CHECK& check = CheckBinaryEqual);
+		RegistryCheck(std::wstring&& wValueName, std::vector<std::wstring>&& wData, bool MissingBad = false,
 			const REG_MULTI_SZ_CHECK& check = CheckMultiSzSubset);
 
 		RegistryType GetType() const;
+
+		bool operator()(const RegistryData& data) const;
 	};
 
-	std::vector<RegistryValue> CheckValues(const RegistryKey& key, const std::vector<RegistryCheck>& values);
+	/**
+	 * Checks the values under a certain key using the RegistryCheck class. if CheckWow64 is true, this will attempt to automatically redirect to the WoW64 version
+	 * of the key in addition to the 64-bit one. If CheckUsers is true, this will attempt to automatically check the same key under each user in addition to under
+	 * HKLM. 
+	 *
+	 * @param hkHive The registry hive under which the path lies. 
+	 * @param path The path to the specified key under the given hive. If CheckUsers is true, this will will also check the path under each user's account.
+	 * @param CheckWow64 If true, this will also check the wow64 version of the key, if one exists
+	 * @param CheckUsers If true, this will check for the path under all users' hives in addition to the given one
+	 *
+	 * @return A vector containing a RegistryValue object for each RegistryCheck that didn't match its valid conditions
+	 */
+	std::vector<RegistryValue> CheckValues(const HKEY& hkHive, const std::wstring& path, const std::vector<RegistryCheck>& values, bool CheckWow64 = true, bool CheckUsers = true);
 
-	std::vector<RegistryValue> CheckKeyValues(const RegistryKey& key);
+	/**
+	 * Checks for any values under a certain key. if CheckWow64 is true, this will attempt to automatically redirect to the WoW64 version of the key
+	 * in addition to the 64-bit one. If CheckUsers is true, this will attempt to automatically check the same key under each user in addition to under
+	 * HKLM.
+	 *
+	 * @param hkHive The registry hive under which the path lies.
+	 * @param path The path to the specified key under the given hive. If CheckUsers is true, this will will also check the path under each user's account.
+	 * @param CheckWow64 If true, this will also check the wow64 version of the key, if one exists
+	 * @param CheckUsers If true, this will check for the path under all users' hives in addition to the given one
+	 *
+	 * @return A vector containing a RegistryValue object for each RegistryCheck that didn't match its valid conditions
+	 */
+	std::vector<RegistryValue> CheckKeyValues(const HKEY& hkHive, const std::wstring& path, bool CheckWow64 = true, bool CheckUsers = true);
 
-	std::vector<RegistryKey> CheckSubkeys(const RegistryKey& key);
+	/**
+	 * Checks for any values under a certain key. if CheckWow64 is true, this will attempt to automatically redirect to the WoW64 version of the key
+	 * in addition to the 64-bit one. If CheckUsers is true, this will attempt to automatically check the same key under each user in addition to under
+	 * HKLM.
+	 *
+	 * @param hkHive The registry hive under which the path lies.
+	 * @param path The path to the specified key under the given hive. If CheckUsers is true, this will will also check the path under each user's account.
+	 * @param CheckWow64 If true, this will also check the wow64 version of the key, if one exists
+	 * @param CheckUsers If true, this will check for the path under all users' hives in addition to the given one
+	 *
+	 * @return A vector containing a RegistryValue object for each RegistryCheck that didn't match its valid conditions
+	 */
+	std::vector<RegistryKey> CheckSubkeys(const HKEY& hkHive, const std::wstring& path, bool CheckWow64 = true, bool CheckUsers = true);
 }

BLUESPAWN-client/external/tinyxml2

@@ -20,8 +20,8 @@ namespace Hunts {
 		std::wstring wsIFEO = L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\";
 		std::wstring wsIFEOWow64 = L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\";
 
-		int HuntT1015::EvaluateRegistry(Reaction reaction);
-		int HuntT1015::EvaluateFiles(Reaction reaction);
+		int HuntT1015::EvaluateRegistry(Reaction& reaction);
+		int HuntT1015::EvaluateFiles(Reaction& reaction);
 	public:
 		HuntT1015();