diff --git a/CMakeLists.txt b/CMakeLists.txt index 75b94234..75bf780f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -9,6 +9,7 @@ option(ORC_BUILD_COMMAND "Build any OrcCommand based command" ON) option(ORC_BUILD_FASTFIND "Build FastFind binary" ON) option(ORC_BUILD_ORC "Build Orc binary" ON) option(ORC_BUILD_PARQUET "Build Parquet module" OFF) +option(ORC_BUILD_TLSH "Build with tlsh support" OFF) option(ORC_BUILD_SSDEEP "Build with ssdeep support" OFF) option(ORC_BUILD_JSON "Build with JSON StructuredOutput enabled" ON) option(ORC_BUILD_BOOST_STACKTRACE "Build with stack backtrace enabled" ON) @@ -83,7 +84,6 @@ if(ORC_VCPKG_ROOT) boost-scope-exit fmt spdlog - tlsh yara rapidjson ) @@ -98,6 +98,11 @@ if(ORC_VCPKG_ROOT) list(APPEND _PACKAGES boost-stacktrace) endif() + if(ORC_BUILD_TLSH) + add_definitions(-DORC_BUILD_TLSH) + list(APPEND _PACKAGES tlsh) + endif() + if(ORC_BUILD_APACHE_ORC) if("${CMAKE_GENERATOR_TOOLSET}" STREQUAL "v141_xp") message(FATAL_ERROR "Apache Orc requires Seven or later") diff --git a/README.md b/README.md index 7f24f610..4fdcc2ca 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ cmake --build . --config MinSizeRel -- -maxcpucount | ORC_BUILD_ORC | ON | Build Orc binary | | ORC_BUILD_PARQUET | OFF | Build Parquet module (x64) | | ORC_BUILD_SSDEEP | OFF | Build with ssdeep support | +| ORC_BUILD_TLSH | OFF | Build with tslh support | | ORC_BUILD_JSON | ON | Build with JSON enabled | | ORC_USE_STATIC_CRT | ON | Use static runtime | | ORC_VCPKG_ROOT | ${ORC}/external/vcpkg | VCPKG root directory | diff --git a/src/OrcLib/CMakeLists.txt b/src/OrcLib/CMakeLists.txt index 3c98857f..c5033ead 100644 --- a/src/OrcLib/CMakeLists.txt +++ b/src/OrcLib/CMakeLists.txt @@ -13,7 +13,6 @@ orc_add_compile_options() find_package(7zip CONFIG REQUIRED) find_package(Boost REQUIRED) find_package(fmt REQUIRED) -find_package(tlsh CONFIG REQUIRED) find_package(VisualStudio REQUIRED) find_package(Yara REQUIRED) @@ -864,7 +863,6 @@ target_link_libraries(OrcLib Wintrust.lib Crypt32.lib fmt::fmt-header-only - tlsh::tlsh VisualStudio::CppUnitTest yara::yara ws2_32.lib @@ -874,6 +872,11 @@ target_link_libraries(OrcLib find_package(RapidJSON CONFIG REQUIRED) target_include_directories(OrcLib PRIVATE ${RAPIDJSON_INCLUDE_DIRS}) +if(ORC_BUILD_TLSH) + find_package(tlsh CONFIG REQUIRED) + target_link_libraries(OrcLib PUBLIC tlsh::tlsh) +endif() + if(ORC_BUILD_SSDEEP) find_package(ssdeep CONFIG REQUIRED) target_link_libraries(OrcLib PUBLIC ssdeep::fuzzy) diff --git a/src/OrcLib/FuzzyHashStream.cpp b/src/OrcLib/FuzzyHashStream.cpp index 72a9881d..e826e2b4 100644 --- a/src/OrcLib/FuzzyHashStream.cpp +++ b/src/OrcLib/FuzzyHashStream.cpp @@ -11,7 +11,9 @@ #include "WideAnsi.h" #include "BinaryBuffer.h" -#include "tlsh/tlsh.h" +#ifdef ORC_BUILD_TLSH +# include "tlsh/tlsh.h" +#endif // ORC_BUILD_TLSH #ifdef ORC_BUILD_SSDEEP # include "ssdeep/fuzzy.h" @@ -27,10 +29,14 @@ FuzzyHashStream::Algorithm FuzzyHashStream::GetSupportedAlgorithm(LPCWSTR szAlgo return Algorithm::SSDeep; } #endif // ORC_BUILD_SSDEEP + +#ifdef ORC_BUILD_TSLH if (!_wcsnicmp(szAlgo, L"tlsh", wcslen(L"tlsh"))) { return Algorithm::TLSH; } +#endif // ORC_BUILD_TLSH + return Algorithm::Undefined; } @@ -46,6 +52,8 @@ std::wstring FuzzyHashStream::GetSupportedAlgorithm(Algorithm algs) retval.append(L"SSDeep"); } #endif // ORC_BUILD_SSDEEP + +#ifdef ORC_BUILD_TLSH if (HasFlag(algs, FuzzyHashStream::Algorithm::TLSH)) { if (retval.empty()) @@ -53,6 +61,8 @@ std::wstring FuzzyHashStream::GetSupportedAlgorithm(Algorithm algs) else retval.append(L",TLSH"); } +#endif // ORC_BUILD_TLSH + return retval; } @@ -100,21 +110,18 @@ HRESULT FuzzyHashStream::OpenToWrite(FuzzyHashStream::Algorithm algs, const std: STDMETHODIMP FuzzyHashStream::Close() { +#ifdef ORC_BUILD_TLSH if (m_tlsh) { m_tlsh->final(); } +#endif // ORC_BUILD_TLSH return HashStream::Close(); } HRESULT FuzzyHashStream::ResetHash(bool bContinue) { - if (m_tlsh) - { - m_tlsh->reset(); - } - #ifdef ORC_BUILD_SSDEEP if (m_ssdeep) { @@ -128,20 +135,30 @@ HRESULT FuzzyHashStream::ResetHash(bool bContinue) } #endif // ORC_BUILD_SSDEEP +#ifdef ORC_BUILD_TLSH + if (m_tlsh) + { + m_tlsh->reset(); + } + if (HasFlag(m_Algorithms, FuzzyHashStream::Algorithm::TLSH)) { m_tlsh = std::make_unique(); } +#endif // ORC_BUILD_TLSH + m_bHashIsValid = true; return S_OK; } HRESULT FuzzyHashStream::HashData(LPBYTE pBuffer, DWORD dwBytesToHash) { +#ifdef ORC_BUILD_TLSH if (m_tlsh) { m_tlsh->update(pBuffer, dwBytesToHash); } +#endif // ORC_BUILD_TLSH #ifdef ORC_BUILD_SSDEEP if (m_ssdeep) @@ -173,6 +190,7 @@ HRESULT FuzzyHashStream::GetHash(FuzzyHashStream::Algorithm alg, CBinaryBuffer& #endif // ORC_BUILD_SSDEEP break; case FuzzyHashStream::Algorithm::TLSH: +#ifdef ORC_BUILD_TLSH if (HasFlag(m_Algorithms, FuzzyHashStream::Algorithm::TLSH) && m_tlsh) { if (!m_tlsh->isValid()) @@ -187,6 +205,7 @@ HRESULT FuzzyHashStream::GetHash(FuzzyHashStream::Algorithm alg, CBinaryBuffer& } return S_OK; } +#endif // ORC_BUILD_TLSH break; default: return E_INVALIDARG; @@ -222,5 +241,7 @@ FuzzyHashStream::~FuzzyHashStream() } #endif // ORC_BUILD_SSDEEP +#ifdef ORC_BUILD_TLSH m_tlsh.reset(); +#endif } diff --git a/src/OrcLib/FuzzyHashStream.h b/src/OrcLib/FuzzyHashStream.h index 071eeb4a..b4c8876c 100644 --- a/src/OrcLib/FuzzyHashStream.h +++ b/src/OrcLib/FuzzyHashStream.h @@ -50,7 +50,11 @@ class FuzzyHashStream : public HashStream protected: Algorithm m_Algorithms = Algorithm::Undefined; + +#ifdef ORC_BUILD_TLSH std::unique_ptr m_tlsh; +#endif // ORC_BUILD_TLSH + struct fuzzy_state* m_ssdeep = nullptr; };