moved files to new directory

minor refactors

Author: Eran-YT

Raccine.sln

@@ -3,12 +3,12 @@ Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 16
 VisualStudioVersion = 16.0.30413.136
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Raccine", "Raccine.vcxproj", "{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}"
-EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Raccine-Test", "tests\Raccine-Test\Raccine-Test.vcxproj", "{B6CF8E12-D257-4E81-8634-3D5E4320B7E9}"
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RaccineLib", "source\RaccineLib\RaccineLib.vcxproj", "{1E00BDF5-F2B2-4A59-8E3A-58EDBFE0E420}"
 EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Raccine", "source\Raccine\Raccine.vcxproj", "{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|x64 = Debug|x64
@@ -17,14 +17,6 @@ Global
 		Release|x86 = Release|x86
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Debug|x64.ActiveCfg = Debug|x64
-		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Debug|x64.Build.0 = Debug|x64
-		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Debug|x86.ActiveCfg = Debug|Win32
-		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Debug|x86.Build.0 = Debug|Win32
-		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Release|x64.ActiveCfg = Release|x64
-		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Release|x64.Build.0 = Release|x64
-		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Release|x86.ActiveCfg = Release|Win32
-		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Release|x86.Build.0 = Release|Win32
 		{B6CF8E12-D257-4E81-8634-3D5E4320B7E9}.Debug|x64.ActiveCfg = Debug|x64
 		{B6CF8E12-D257-4E81-8634-3D5E4320B7E9}.Debug|x64.Build.0 = Debug|x64
 		{B6CF8E12-D257-4E81-8634-3D5E4320B7E9}.Debug|x86.ActiveCfg = Debug|Win32
@@ -41,6 +33,14 @@ Global
 		{1E00BDF5-F2B2-4A59-8E3A-58EDBFE0E420}.Release|x64.Build.0 = Release|x64
 		{1E00BDF5-F2B2-4A59-8E3A-58EDBFE0E420}.Release|x86.ActiveCfg = Release|Win32
 		{1E00BDF5-F2B2-4A59-8E3A-58EDBFE0E420}.Release|x86.Build.0 = Release|Win32
+		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Debug|x64.ActiveCfg = Debug|x64
+		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Debug|x64.Build.0 = Debug|x64
+		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Debug|x86.ActiveCfg = Debug|Win32
+		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Debug|x86.Build.0 = Debug|Win32
+		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Release|x64.ActiveCfg = Release|x64
+		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Release|x64.Build.0 = Release|x64
+		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Release|x86.ActiveCfg = Release|Win32
+		{E402FCEB-A95B-44FF-BC00-B24CE6DAF0AB}.Release|x86.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

source/Raccine/Raccine.aps

@@ -59,4 +59,4 @@ END
 /////////////////////////////////////////////////////////////////////////////
 #endif    // not APSTUDIO_INVOKED
 
-MAINICON ICON "Raccine.ico"
+MAINICON ICON "..\\..\\Raccine.ico"

Raccine.rc renamed to source/Raccine/Raccine.rc

@@ -95,6 +95,7 @@
       <LanguageStandard>stdcpplatest</LanguageStandard>
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
       <TreatWarningAsError>true</TreatWarningAsError>
+      <AdditionalIncludeDirectories>$(SolutionDir)source;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -112,6 +113,7 @@
       <LanguageStandard>stdcpplatest</LanguageStandard>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <TreatWarningAsError>true</TreatWarningAsError>
+      <AdditionalIncludeDirectories>$(SolutionDir)source;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -129,6 +131,7 @@
       <LanguageStandard>stdcpplatest</LanguageStandard>
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
       <TreatWarningAsError>true</TreatWarningAsError>
+      <AdditionalIncludeDirectories>$(SolutionDir)source;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -146,6 +149,7 @@
       <LanguageStandard>stdcpplatest</LanguageStandard>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <TreatWarningAsError>true</TreatWarningAsError>
+      <AdditionalIncludeDirectories>$(SolutionDir)source;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -167,8 +171,9 @@
     <ClCompile Include="Raccine.cpp" />
   </ItemGroup>
   <ItemGroup>
-    <ProjectReference Include="source\RaccineLib\RaccineLib.vcxproj">
+    <ProjectReference Include="..\RaccineLib\RaccineLib.vcxproj">
       <Project>{1e00bdf5-f2b2-4a59-8e3a-58edbfe0e420}</Project>
+      <Private>false</Private>
     </ProjectReference>
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

Raccine.vcxproj renamed to source/Raccine/Raccine.vcxproj

@@ -5,14 +5,12 @@
 // Florian Roth, Ollie Whitehouse, Branislav Djalic, John Lambert
 // with help of Hilko Bengen
 
-#include "source/RaccineLib/Raccine.h"
+#include "RaccineLib/Raccine.h"
 
 #include <Shlwapi.h>
 
-
-#include "source/RaccineLib/HandleWrapper.h"
-#include "source/RaccineLib/RaccineConfig.h"
-#include "source/RaccineLib/Utils.h"
+#include "RaccineLib/RaccineConfig.h"
+#include "RaccineLib/Utils.h"
 
 int wmain(int argc, WCHAR* argv[])
 {
@@ -36,11 +34,11 @@ int wmain(int argc, WCHAR* argv[])
     //skip argv[0] and create a new command line string from our argv,
     //if we get a quoted path for the exe back, adjust the command line to skip past that.
     LPWSTR lpzchildCommandLine = GetCommandLine() + (wcslen(argv[0]) + 1);
-    std::wstring originalCommandLine(GetCommandLine());
+    const std::wstring originalCommandLine(GetCommandLine());
     if (originalCommandLine.starts_with(L"\"") && (wcslen(argv[0]) + 3) < originalCommandLine.length())
         lpzchildCommandLine = GetCommandLine() + (wcslen(argv[0]) + 3);
     if (needs_powershell_workaround(sCommandLine)) {
-        lpzchildCommandLine = (LPWSTR)std::wstring(L"powershell.exe ").append(sCommandLine).c_str();
+        lpzchildCommandLine = static_cast<LPWSTR>(std::wstring(L"powershell.exe ").append(sCommandLine).data());
     }
 
     auto [dwChildPid, hProcess, hThread] = createChildProcessWithDebugger(lpzchildCommandLine, CREATE_SUSPENDED);

Raccine.vcxproj.filters renamed to source/Raccine/Raccine.vcxproj.filters

@@ -84,4 +84,4 @@ void find_and_kill_processes(bool log_only,
                              const std::wstring& sCommandLine,
                              std::wstring& sListLogs);
 
-std::wstring CreateContextForProgram(DWORD pid, std::wstring szDefinePrefix);
+std::wstring CreateContextForProgram(DWORD pid, const std::wstring& szDefinePrefix);

raccine.cpp renamed to source/Raccine/raccine.cpp

@@ -309,7 +309,7 @@ ProcessDetail::ProcessDetail(DWORD dwPid) :
     ProcessDetailStruct.TimeSinceExeCreation = getLastWriteTime(ProcessDetailStruct.ExePath);
 }
 
-std::wstring ProcessDetail::ToString(const std::wstring szPrefix) const
+std::wstring ProcessDetail::ToString(const std::wstring& szPrefix) const
 {
     const std::wstring YaraDef = L" -d ";
 
@@ -336,25 +336,30 @@ std::wstring expand_environment_strings(const std::wstring& input)
     return std::wstring(output.data());
 }
 
-ULONG utils::getLastWriteTime(std::wstring szFilePath)
+ULONG getLastWriteTime(const std::wstring& szFilePath)
 {
-    HANDLE hFile = CreateFile(szFilePath.c_str(), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
-    if (hFile == INVALID_HANDLE_VALUE)
+    FileHandleWrapper hFile = CreateFileW(szFilePath.c_str(),
+                                          GENERIC_READ,
+                                          FILE_SHARE_READ, 
+                                          NULL, 
+                                          OPEN_EXISTING, 
+                                          0,
+                                          NULL);
+    if (hFile == INVALID_HANDLE_VALUE){
         return 0;
+    }
 
-    ULARGE_INTEGER ulNow = { 0 }, ulFile = { 0 }, ulDiff = { 0 };
-    ULONG  timeDiff = 999999999;
     FILETIME timeFile, timeNow = { 0 };
     SYSTEMTIME stNow = { 0 };
     GetSystemTime(&stNow);
     SystemTimeToFileTime(&stNow, &timeNow);
 
     if (!GetFileTime(hFile, NULL, NULL, &timeFile))
     {
-        CloseHandle(hFile);
         return 0;
     }
-    CloseHandle(hFile);
+
+    ULARGE_INTEGER ulNow = { 0 }, ulFile = { 0 }, ulDiff = { 0 };
 
     ulNow.HighPart = timeNow.dwHighDateTime;
     ulNow.LowPart = timeNow.dwLowDateTime;
@@ -368,14 +373,16 @@ ULONG utils::getLastWriteTime(std::wstring szFilePath)
     if (ulNow.QuadPart > ulFile.QuadPart)
     {
         ulDiff.QuadPart = ulNow.QuadPart - ulFile.QuadPart;
-        ULONG diff = ((ULONG)(ulDiff.QuadPart / (10000 * 1000)) / (60 * 60 * 24));  // 
+        const ULONG diff = (static_cast<ULONG>(ulDiff.QuadPart / (10000 * 1000)) / (60 * 60 * 24)); 
 
         return diff;
     }
+
+    const ULONG  timeDiff = 999999999;
     return timeDiff;
 }
 
-bool write_string_to_file(const std::filesystem::path file_path, const std::wstring& string_to_write)
+bool write_string_to_file(const std::filesystem::path& file_path, const std::wstring& string_to_write)
 {
     //  Creates the new file to write to for the upper-case version.
     FileHandleWrapper hTempFile = CreateFileW(file_path.c_str(),    // file name 

resource.h renamed to source/Raccine/resource.h

@@ -15,7 +15,7 @@ class ProcessDetail final
 
     ~ProcessDetail() = default;
 
-    [[nodiscard]] std::wstring ToString(const std::wstring szPrefix) const;
+    [[nodiscard]] std::wstring ToString(const std::wstring& szPrefix) const;
 
 private:
     struct PROCESS_DETAIL
@@ -59,10 +59,10 @@ DWORD GetPriorityClassByPid(DWORD pid);
 
 std::wstring expand_environment_strings(const std::wstring& input);
 
-bool write_string_to_file(const std::filesystem::path file_path, const std::wstring& string_to_write);
+bool write_string_to_file(const std::filesystem::path& file_path, const std::wstring& string_to_write);
 
 std::optional<std::string> convert_wstring_to_string(const std::wstring& input);
 
-ULONG getLastWriteTime(std::wstring szFilePath);
+ULONG getLastWriteTime(const std::wstring& szFilePath);
 
 }

source/RaccineLib/Raccine.h

@@ -8,7 +8,6 @@
 #include <cwchar>
 #include <Windows.h>
 #include <cstdio>
-#include <cstring>
 #include <string>
 #include <array>
 #include <chrono>
@@ -59,9 +58,10 @@ bool EvaluateYaraRules(const RaccineConfig& raccine_config,
 
     std::wstring parentContext = CreateContextForProgram(dwParentPid, L"Parent");
 
-    std::wstring grandparentContext = L"";
-    if (dwGrandParentPid != 0)
+    std::wstring grandparentContext;
+    if (dwGrandParentPid != 0) {
         grandparentContext = CreateContextForProgram(dwGrandParentPid, L"GrandParent");
+    }
 
     std::wstring combinedContext = childContext + L" " + parentContext +L" " + grandparentContext;
 
@@ -92,12 +92,11 @@ bool EvaluateYaraRules(const RaccineConfig& raccine_config,
     return fRetVal;
 }
 
-std::wstring CreateContextForProgram(DWORD pid, std::wstring szDefinePrefix)
+std::wstring CreateContextForProgram(DWORD pid, const std::wstring& szDefinePrefix)
 {
     const utils::ProcessDetail details(pid);
 
-    std::wstring strDetails;
-    strDetails = details.ToString(szDefinePrefix);
+    std::wstring strDetails = details.ToString(szDefinePrefix);
 
     return strDetails;
 }