OrcLib: SystemDetail: add GetOrcSystemType

It stores the user's specified value and fallback on host's
DFIR-ORC · Jun 4, 2024 · 69f96b0 · 69f96b0
1 parent 41346e5
commit 69f96b0
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 5 deletions.
diff --git a/src/OrcCommand/Command/FastFind/FastFind_Run.cpp b/src/OrcCommand/Command/FastFind/FastFind_Run.cpp
@@ -671,7 +671,7 @@ HRESULT Main::Run()
             pStructuredOutput->WriteNamed(L"os", strSystemDescr.c_str());
 
         std::wstring strSystemRole;
-        if (SUCCEEDED(SystemDetails::GetSystemType(strSystemRole)))
+        if (SUCCEEDED(SystemDetails::GetOrcSystemType(strSystemRole)))
             pStructuredOutput->WriteNamed(L"role", strSystemRole.c_str());
     }
 

diff --git a/src/OrcCommand/Command/WolfLauncher/WolfExecution_Config.cpp b/src/OrcCommand/Command/WolfLauncher/WolfExecution_Config.cpp
@@ -266,7 +266,7 @@ CommandMessage::Message WolfExecution::SetCommandFromConfigItem(const ConfigItem
         const wstring& requiredSystemTypes = item[WOLFLAUNCHER_COMMAND_SYSTEMTYPE];
         wstring strProductType;
 
-        if (FAILED(hr = SystemDetails::GetSystemType(strProductType)))
+        if (FAILED(hr = SystemDetails::GetOrcSystemType(strProductType)))
         {
             Log::Error("Failed to retrieve system product type [{}]", SystemError(hr));
             return nullptr;

diff --git a/src/OrcCommand/UtilitiesMain.cpp b/src/OrcCommand/UtilitiesMain.cpp
@@ -81,6 +81,10 @@ void UtilitiesMain::PrintCommonParameters(Orc::Text::Tree& root)
     SystemDetails::GetSystemType(systemType);
     PrintValue(root, L"System type", systemType);
 
+    std::wstring orcSystemType;
+    SystemDetails::GetOrcSystemType(orcSystemType);
+    PrintValue(root, L"DFIR-Orc system type", orcSystemType);
+
     PrintValue(root, L"System tags", boost::join(SystemDetails::GetSystemTags(), ", "));
 
     std::wstring logFileName(Text::kEmptyW);
@@ -223,7 +227,7 @@ void UtilitiesMain::Configure(int argc, const wchar_t* argv[])
 
     if (!systemType.empty())
     {
-        SystemDetails::SetSystemType(systemType);
+        SystemDetails::SetOrcSystemType(systemType);
     }
 }
 

diff --git a/src/OrcLib/CommandAgent.cpp b/src/OrcLib/CommandAgent.cpp
@@ -273,7 +273,7 @@ HRESULT CommandAgent::ApplyPattern(
     auto s6 = std::regex_replace(s5, r_TimeStamp, strTimeStamp);
 
     wstring strSystemType;
-    SystemDetails::GetSystemType(strSystemType);
+    SystemDetails::GetOrcSystemType(strSystemType);
     auto s7 = std::regex_replace(s6, r_SystemType, strSystemType);
 
     std::swap(s7, output);

diff --git a/src/OrcLib/OutputSpec.cpp b/src/OrcLib/OutputSpec.cpp
@@ -86,7 +86,7 @@ OutputSpec::ApplyPattern(const std::wstring& strPattern, const std::wstring& str
     SystemDetails::GetTimeStamp(strTimeStamp);
 
     wstring strSystemType;
-    SystemDetails::GetSystemType(strSystemType);
+    SystemDetails::GetOrcSystemType(strSystemType);
 
     strFileName = fmt::vformat(
         fmt::wstring_view(strPattern),

diff --git a/src/OrcLib/SystemDetails.cpp b/src/OrcLib/SystemDetails.cpp
@@ -46,6 +46,7 @@ struct SystemDetailsBlock
     std::optional<std::wstring> strOrcComputerName;
     std::optional<std::wstring> strOrcFullComputerName;
     std::optional<std::wstring> strProductType;
+    std::optional<std::wstring> strOrcProductType;
     std::optional<BYTE> wProductType;
     std::wstring strUserName;
     std::wstring strUserSID;
@@ -105,6 +106,32 @@ HRESULT SystemDetails::GetSystemType(std::wstring& strProductType)
     return S_OK;
 }
 
+HRESULT Orc::SystemDetails::SetOrcSystemType(std::wstring strProductType)
+{
+    HRESULT hr = E_FAIL;
+    if (FAILED(hr = LoadSystemDetails()))
+        return hr;
+
+    if (!strProductType.empty())
+        g_pDetailsBlock->strOrcProductType.emplace(std::move(strProductType));
+
+    return S_OK;
+}
+
+HRESULT SystemDetails::GetOrcSystemType(std::wstring& strProductType)
+{
+    HRESULT hr = E_FAIL;
+    if (FAILED(hr = LoadSystemDetails()))
+        return hr;
+
+    if (g_pDetailsBlock->strOrcProductType.has_value())
+    {
+        strProductType = g_pDetailsBlock->strOrcProductType.value();
+        return S_OK;
+    }
+
+    return GetSystemType(strProductType);
+}
 
 bool SystemDetails::IsKnownWindowsBuild(uint32_t build)
 {

diff --git a/src/OrcLib/SystemDetails.h b/src/OrcLib/SystemDetails.h
@@ -45,6 +45,9 @@ class SystemDetails
     static HRESULT GetSystemType(std::wstring& strSystemType);
     static HRESULT GetSystemType(BYTE& systemType);
 
+    static HRESULT SetOrcSystemType(std::wstring strSystemType);
+    static HRESULT GetOrcSystemType(std::wstring& strSystemType);
+
     static bool IsKnownWindowsBuild(uint32_t build);
     static void GetTagsFromBuildId(uint32_t ProductType, uint32_t build, SystemTags& tags);