Add support for file tree as embeded resource

[tonybounty]

I have a tool to embed in ORC that needs multiple files (rules, config..) and preserve a certain folder tree to work. For e.g. this concept/idea doesn't work in DFIR-ORC_embed.xml :

<?xml version="1.0" encoding="utf-8"?>
<toolembed>
...
<archive name="SpecTool" format="7z" compression="Ultra">
        <file name="myprogram" path=".\SpecFolder\program.exe"/>
        <file name="SpecFolder" path=".\SpecFolder\*"/>
</archive>
...
</toolembed>

I need to specify all the content of SpecFolder manually :

...
<file name="SpecFolder_fileA" path=".\SpecFolder\fileA"/>
<file name="SpecFolder_fileB" path=".\SpecFolder\fileB"/>
<file name="SpecFolder_folderA_fileA" path=".\SpecFolder\folderA\fileA"/>
...

This same disadvantage appear with Yara rules, who are often organized by file name (like apt1.yara, apt2.yara...). It would be very useful to embed easily a complete folder structure with a tag like in .

[fabienfl-orc]

As for now ORC does not allow to do that.

Concerning Yara rules, I guess it would be easy to support their compilation from a unique 7z resource. But for a truly "generic" approach it could require more changes.

We will keep this issue open. Currently the dev effort is put on bugfix/optimizations.

[fabienfl-orc]

Until then you can concatenate your rules in a single yara file.