dissect.target 3.13.dev26__py3-none-any.whl → 3.14__py3-none-any.whl

dissect/target/plugins/apps/{webservers → webserver}/iis.py

@@ -12,7 +12,7 @@ from dissect.target.exceptions import FileNotFoundError as DissectFileNotFoundEr
 from dissect.target.exceptions import PluginError, UnsupportedPluginError
 from dissect.target.helpers import fsutil
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugins.apps.webservers.webservers import WebserverAccessLogRecord
+from dissect.target.plugins.apps.webserver.webserver import WebserverAccessLogRecord
 
 LOG_RECORD_NAME = "filesystem/windows/iis/logs"
 

dissect/target/plugins/apps/{webservers → webserver}/nginx.py

@@ -6,7 +6,7 @@ from typing import Iterator
 from dissect.target import plugin
 from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
 from dissect.target.helpers.fsutil import open_decompress
-from dissect.target.plugins.apps.webservers.webservers import WebserverAccessLogRecord
+from dissect.target.plugins.apps.webserver.webserver import WebserverAccessLogRecord
 from dissect.target.target import Target
 
 LOG_REGEX = re.compile(

dissect/target/plugins/child/hyperv.py

@@ -3,7 +3,6 @@ from __future__ import annotations
 from typing import TYPE_CHECKING, Iterator
 
 from dissect.hypervisor import hyperv
-from flow.record.fieldtypes import path
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import ChildTargetRecord
@@ -47,7 +46,7 @@ class HyperVChildTargetPlugin(ChildTargetPlugin):
                 for vm_path in virtual_machines.values():
                     yield ChildTargetRecord(
                         type=self.__type__,
-                        path=path.from_windows(vm_path),
+                        path=self.target.fs.path(vm_path),
                         _target=self.target,
                     )
 

dissect/target/plugins/child/vmware_workstation.py

@@ -1,5 +1,3 @@
-from flow.record.fieldtypes import path
-
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import ChildTargetRecord
 from dissect.target.plugin import ChildTargetPlugin
@@ -42,6 +40,6 @@ class WorkstationChildTargetPlugin(ChildTargetPlugin):
 
                 yield ChildTargetRecord(
                     type=self.__type__,
-                    path=path.from_windows(value.strip('"')),
+                    path=self.target.fs.path(value.strip('"')),
                     _target=self.target,
                 )

dissect/target/plugins/filesystem/acquire_handles.py

@@ -43,4 +43,6 @@ class OpenHandlesPlugin(Plugin):
         """
         with self.open_handles_file.open() as fh:
             for row in csv.DictReader(gzip.open(fh, "rt")):
+                if name := row.get("name"):
+                    row.update({"name": self.target.fs.path(name)})
                 yield AcquireOpenHandlesRecord(_target=self.target, **row)

dissect/target/plugins/filesystem/acquire_hash.py

@@ -1,8 +1,6 @@
 import csv
 import gzip
 
-from flow.record.fieldtypes import posix_path, windows_path
-
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
@@ -35,15 +33,11 @@ class AcquireHashPlugin(Plugin):
         An Acquire file container contains a file hashes csv when the hashes module was used. The content of this csv
         file is returned.
         """
-        if self.target.os == "windows":
-            path_type = windows_path
-        else:
-            path_type = posix_path
 
         with self.hash_file.open() as fh:
             for row in csv.DictReader(gzip.open(fh, "rt")):
                 yield AcquireHashRecord(
-                    path=path_type(row["path"]),
+                    path=self.target.fs.path((row["path"])),
                     filesize=row["file-size"],
                     digest=(row["md5"] or None, row["sha1"] or None, row["sha256"] or None),
                     _target=self.target,

dissect/target/plugins/filesystem/icat.py

@@ -16,7 +16,7 @@ class ICatPlugin(Plugin):
 
     def check_compatible(self) -> None:
         filesystems = self.target.filesystems
-        if not any(fs.__fstype__ in self.FS_SUPPORTED for fs in filesystems):
+        if not any(fs.__type__ in self.FS_SUPPORTED for fs in filesystems):
             raise UnsupportedPluginError("No supported filesystems found")
 
     @arg("--segment", "--inode", "-i", dest="inum", required=True, type=int, help="MFT segment or inode number")
@@ -72,14 +72,14 @@ class ICatPlugin(Plugin):
                     )
                     return
 
-            if filesystem.__fstype__ == "ntfs" or open_as == "ntfs":
+            if filesystem.__type__ == "ntfs" or open_as == "ntfs":
                 fh = filesystem.ntfs.mft(inum).open(ads)
-            elif filesystem.__fstype__ == "ext":
+            elif filesystem.__type__ == "ext":
                 fh = filesystem.extfs.get_inode(inum).open()
-            elif filesystem.__fstype__ == "xfs":
+            elif filesystem.__type__ == "xfs":
                 fh = filesystem.xfs.get_inode(inum).open()
             else:
-                self.target.log.exception('Unsupported FS type "%s"', filesystem.__fstype__)
+                self.target.log.exception('Unsupported FS type "%s"', filesystem.__type__)
                 return
 
             shutil.copyfileobj(fh, sys.stdout.buffer)

dissect/target/plugins/filesystem/ntfs/mft.py

@@ -105,7 +105,7 @@ COMPACT_RECORD_TYPES = {
 
 class MftPlugin(Plugin):
     def check_compatible(self) -> None:
-        ntfs_filesystems = [fs for fs in self.target.filesystems if fs.__fstype__ == "ntfs"]
+        ntfs_filesystems = [fs for fs in self.target.filesystems if fs.__type__ == "ntfs"]
         if not len(ntfs_filesystems):
             raise UnsupportedPluginError("No NTFS filesystems found")
 
@@ -133,7 +133,7 @@ class MftPlugin(Plugin):
             record_formatter = formatter
 
         for fs in self.target.filesystems:
-            if fs.__fstype__ != "ntfs":
+            if fs.__type__ != "ntfs":
                 continue
 
             drive_letter = get_drive_letter(self.target, fs)

dissect/target/plugins/filesystem/ntfs/mft_timeline.py

@@ -94,7 +94,7 @@ def format_info(
 
 class MftTimelinePlugin(Plugin):
     def check_compatible(self) -> None:
-        ntfs_filesystems = [fs for fs in self.target.filesystems if fs.__fstype__ == "ntfs"]
+        ntfs_filesystems = [fs for fs in self.target.filesystems if fs.__type__ == "ntfs"]
         if not len(ntfs_filesystems):
             raise UnsupportedPluginError("No MFT timelines found")
 
@@ -109,7 +109,7 @@ class MftTimelinePlugin(Plugin):
             - https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table
         """
         for fs in self.target.filesystems:
-            if fs.__fstype__ != "ntfs":
+            if fs.__type__ != "ntfs":
                 continue
 
             drive_letter = get_drive_letter(self.target, fs)

dissect/target/plugins/filesystem/ntfs/usnjrnl.py

@@ -1,7 +1,6 @@
 from typing import Iterator
 
 from dissect.ntfs.c_ntfs import segment_reference
-from flow.record.fieldtypes import path as rpath
 
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
@@ -41,7 +40,7 @@ class UsnjrnlPlugin(Plugin):
         """
         target = self.target
         for fs in self.target.filesystems:
-            if fs.__fstype__ != "ntfs":
+            if fs.__type__ != "ntfs":
                 continue
 
             usnjrnl = fs.ntfs.usnjrnl
@@ -64,7 +63,7 @@ class UsnjrnlPlugin(Plugin):
                     yield UsnjrnlRecord(
                         ts=ts,
                         segment=f"{segment}#{record.FileReferenceNumber.SequenceNumber}",
-                        path=rpath.from_windows(path),
+                        path=self.target.fs.path(path),
                         usn=record.Usn,
                         reason=str(record.Reason).replace("USN_REASON.", ""),
                         attr=str(record.FileAttributes).replace("FILE_ATTRIBUTE.", ""),

dissect/target/plugins/filesystem/resolver.py

@@ -98,7 +98,7 @@ class ResolverPlugin(Plugin):
                     return lookup_ext
 
                 for search_path in search_paths:
-                    lookup_path = "/".join([search_path, lookup_ext])
+                    lookup_path = fsutil.join(search_path, lookup_ext, alt_separator=self.target.fs.alt_separator)
                     if self.target.fs.exists(lookup_path):
                         return lookup_path
 

dissect/target/plugins/filesystem/unix/capability.py

@@ -2,9 +2,10 @@ import struct
 from enum import IntEnum
 from io import BytesIO
 
-from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
+from dissect.target.plugins.filesystem.walkfs import generate_record
 
 CapabilityRecord = TargetRecordDescriptor(
     "filesystem/unix/capability",
@@ -87,72 +88,82 @@ class CapabilityPlugin(Plugin):
     @export(record=CapabilityRecord)
     def capability_binaries(self):
         """Find all files that have capabilities set."""
-        for entry, record in self.target.walkfs_ext():
-            try:
-                attrs = entry.get().lattr()
-            except Exception:
-                self.target.log.exception("Failed to get attrs for entry %s", entry)
-                continue
-
-            for attr in attrs:
-                if attr.name != "security.capability":
+        for path_entries, _, files in self.target.fs.walk_ext("/"):
+            entries = [path_entries[-1]] + files
+            for entry in entries:
+                path = self.target.fs.path(entry.path)
+                try:
+                    record = generate_record(self.target, path)
+                except FileNotFoundError:
                     continue
-
-                buf = BytesIO(attr.value)
-
-                # Reference: https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h
-                # The struct is small enough we can just use struct
-                magic_etc = struct.unpack("<I", buf.read(4))[0]
-                cap_revision = magic_etc & VFS_CAP_REVISION_MASK
-
-                permitted_caps = []
-                inheritable_caps = []
-                rootid = None
-
-                if cap_revision == VFS_CAP_REVISION_1:
-                    num_caps = VFS_CAP_U32_1
-                    data_len = (1 + 2 * VFS_CAP_U32_1) * 4
-                elif cap_revision == VFS_CAP_REVISION_2:
-                    num_caps = VFS_CAP_U32_2
-                    data_len = (1 + 2 * VFS_CAP_U32_2) * 4
-                elif cap_revision == VFS_CAP_REVISION_3:
-                    num_caps = VFS_CAP_U32_3
-                    data_len = (2 + 2 * VFS_CAP_U32_2) * 4
-                else:
-                    self.target.log.error("Unexpected capability revision: %s", entry)
+                try:
+                    attrs = path.get().lattr()
+                except TypeError:
+                    # Virtual(File|Directory|Symlink) instances don't have a functional lattr()
                     continue
-
-                if data_len != len(attr.value):
-                    self.target.log.error("Unexpected capability length: %s", entry)
+                except Exception:
+                    self.target.log.exception("Failed to get attrs for entry %s", entry)
                     continue
 
-                for _ in range(num_caps):
-                    permitted_val, inheritable_val = struct.unpack("<2I", buf.read(8))
-                    permitted_caps.append(permitted_val)
-                    inheritable_caps.append(inheritable_val)
-
-                if cap_revision == VFS_CAP_REVISION_3:
-                    rootid = struct.unpack("<I", buf.read(4))[0]
-
-                permitted = []
-                inheritable = []
-
-                for capability in Capabilities:
-                    for caps, results in [(permitted_caps, permitted), (inheritable_caps, inheritable)]:
-                        # CAP_TO_INDEX
-                        cap_index = capability.value >> 5
-                        if cap_index >= len(caps):
-                            # We loop over all capabilities, but might only have a version 1 caps list
-                            continue
-
-                        if caps[cap_index] & (1 << (capability.value & 31)) != 0:
-                            results.append(capability.name)
-
-                yield CapabilityRecord(
-                    record=record,
-                    permitted=permitted,
-                    inheritable=inheritable,
-                    effective=magic_etc & VFS_CAP_FLAGS_EFFECTIVE != 0,
-                    rootid=rootid,
-                    _target=self.target,
-                )
+                for attr in attrs:
+                    if attr.name != "security.capability":
+                        continue
+
+                    buf = BytesIO(attr.value)
+
+                    # Reference: https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h
+                    # The struct is small enough we can just use struct
+                    magic_etc = struct.unpack("<I", buf.read(4))[0]
+                    cap_revision = magic_etc & VFS_CAP_REVISION_MASK
+
+                    permitted_caps = []
+                    inheritable_caps = []
+                    rootid = None
+
+                    if cap_revision == VFS_CAP_REVISION_1:
+                        num_caps = VFS_CAP_U32_1
+                        data_len = (1 + 2 * VFS_CAP_U32_1) * 4
+                    elif cap_revision == VFS_CAP_REVISION_2:
+                        num_caps = VFS_CAP_U32_2
+                        data_len = (1 + 2 * VFS_CAP_U32_2) * 4
+                    elif cap_revision == VFS_CAP_REVISION_3:
+                        num_caps = VFS_CAP_U32_3
+                        data_len = (2 + 2 * VFS_CAP_U32_2) * 4
+                    else:
+                        self.target.log.error("Unexpected capability revision: %s", entry)
+                        continue
+
+                    if data_len != len(attr.value):
+                        self.target.log.error("Unexpected capability length: %s", entry)
+                        continue
+
+                    for _ in range(num_caps):
+                        permitted_val, inheritable_val = struct.unpack("<2I", buf.read(8))
+                        permitted_caps.append(permitted_val)
+                        inheritable_caps.append(inheritable_val)
+
+                    if cap_revision == VFS_CAP_REVISION_3:
+                        rootid = struct.unpack("<I", buf.read(4))[0]
+
+                    permitted = []
+                    inheritable = []
+
+                    for capability in Capabilities:
+                        for caps, results in [(permitted_caps, permitted), (inheritable_caps, inheritable)]:
+                            # CAP_TO_INDEX
+                            cap_index = capability.value >> 5
+                            if cap_index >= len(caps):
+                                # We loop over all capabilities, but might only have a version 1 caps list
+                                continue
+
+                            if caps[cap_index] & (1 << (capability.value & 31)) != 0:
+                                results.append(capability.name)
+
+                    yield CapabilityRecord(
+                        record=record,
+                        permitted=permitted,
+                        inheritable=inheritable,
+                        effective=magic_etc & VFS_CAP_FLAGS_EFFECTIVE != 0,
+                        rootid=rootid,
+                        _target=self.target,
+                    )

dissect/target/plugins/filesystem/walkfs.py

@@ -1,8 +1,13 @@
+from typing import Iterable
+
 from dissect.util.ts import from_unix
 
 from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
+from dissect.target.filesystem import RootFilesystemEntry
+from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import Plugin, export, internal
+from dissect.target.plugin import Plugin, export
+from dissect.target.target import Target
 
 FilesystemRecord = TargetRecordDescriptor(
     "filesystem/entry",
@@ -17,8 +22,7 @@ FilesystemRecord = TargetRecordDescriptor(
         ("uint32", "mode"),
         ("uint32", "uid"),
         ("uint32", "gid"),
-        ("string", "fstype"),
-        ("uint32", "fsidx"),
+        ("string[]", "fstypes"),
     ],
 )
 
@@ -29,36 +33,38 @@ class WalkFSPlugin(Plugin):
             raise UnsupportedPluginError("No filesystems found")
 
     @export(record=FilesystemRecord)
-    def walkfs(self):
+    def walkfs(self) -> Iterable[FilesystemRecord]:
         """Walk a target's filesystem and return all filesystem entries."""
-        for _, record in self.walkfs_ext():
-            yield record
-
-    @internal
-    def walkfs_ext(self, root="/", pattern="*"):
-        for idx, fs in enumerate(self.target.filesystems):
-            for entry in fs.path(root).rglob(pattern):
+        for path_entries, _, files in self.target.fs.walk_ext("/"):
+            entries = [path_entries[-1]] + files
+            for entry in entries:
+                path = self.target.fs.path(entry.path)
                 try:
-                    yield entry, generate_record(self.target, entry, idx)
+                    record = generate_record(self.target, path)
                 except FileNotFoundError:
                     continue
-                except Exception:
-                    self.target.log.exception("Failed to generate record from entry %s", entry)
+                yield record
 
 
-def generate_record(target, entry, idx):
-    stat = entry.lstat()
+def generate_record(target: Target, path: TargetPath) -> FilesystemRecord:
+    stat = path.lstat()
+    btime = from_unix(stat.st_birthtime) if stat.st_birthtime else None
+    entry = path.get()
+    if isinstance(entry, RootFilesystemEntry):
+        fs_types = [sub_entry.fs.__type__ for sub_entry in entry.entries]
+    else:
+        fs_types = [entry.fs.__type__]
     return FilesystemRecord(
         atime=from_unix(stat.st_atime),
         mtime=from_unix(stat.st_mtime),
         ctime=from_unix(stat.st_ctime),
+        btime=btime,
         ino=stat.st_ino,
-        path=entry,
+        path=path,
         size=stat.st_size,
         mode=stat.st_mode,
         uid=stat.st_uid,
         gid=stat.st_gid,
-        fstype=entry.get().fs.__fstype__,
-        fsidx=idx,
+        fstypes=fs_types,
         _target=target,
     )

dissect/target/plugins/filesystem/yara.py

@@ -5,7 +5,7 @@ try:
 except ImportError:
     raise ImportError("Please install 'yara-python' to use 'target-query -f yara'.")
 
-from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
+from dissect.target.exceptions import FileNotFoundError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, arg, export
 
@@ -26,8 +26,7 @@ class YaraPlugin(Plugin):
     DEFAULT_MAX_SIZE = 10 * 1024 * 1024
 
     def check_compatible(self) -> None:
-        if not self.target.has_function("walkfs"):
-            raise UnsupportedPluginError("No walkfs plugin found")
+        pass
 
     @arg("--rule-files", "-r", type=Path, nargs="+", required=True, help="path to YARA rule file")
     @arg("--scan-path", default="/", help="path to recursively scan")
@@ -43,20 +42,22 @@ class YaraPlugin(Plugin):
         rule_data = "\n".join([rule_file.read_text() for rule_file in rule_files])
 
         rules = yara.compile(source=rule_data)
-        for entry, _ in self.target.walkfs_ext(scan_path):
-            try:
-                if not entry.is_file() or entry.stat().st_size > max_size:
+        for _, _, files in self.target.fs.walk_ext(scan_path):
+            for file_entry in files:
+                path = self.target.fs.path(file_entry.path)
+                try:
+                    if path.stat().st_size > max_size:
+                        continue
+
+                    for match in rules.match(data=path.read_bytes()):
+                        yield YaraMatchRecord(
+                            path=path,
+                            digest=path.get().hash(),
+                            rule=match.rule,
+                            tags=match.tags,
+                            _target=self.target,
+                        )
+                except FileNotFoundError:
                     continue
-
-                for match in rules.match(data=entry.read_bytes()):
-                    yield YaraMatchRecord(
-                        path=entry,
-                        digest=entry.get().hash(),
-                        rule=match.rule,
-                        tags=match.tags,
-                        _target=self.target,
-                    )
-            except FileNotFoundError:
-                continue
-            except Exception:
-                self.target.log.exception("Error scanning file: %s", entry)
+                except Exception:
+                    self.target.log.exception("Error scanning file: %s", path)

dissect/target/plugins/general/config.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 
 from functools import lru_cache
-from typing import Optional, Union
+from typing import Iterable, Optional, Union
 
 from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
@@ -25,7 +25,7 @@ class ConfigurationTreePlugin(Plugin):
         if target_dir_path.is_dir():
             self.config_fs = ConfigurationFilesystem(target, dir_path)
 
-        self.get = lru_cache(128)(self.get)
+        self._get = lru_cache(128)(self._get)
 
     def check_compatible(self) -> None:
         # This should be able to be retrieved, regardless of OS
@@ -37,29 +37,46 @@ class ConfigurationTreePlugin(Plugin):
         self,
         path: Optional[Union[TargetPath, str]] = None,
         hint: Optional[str] = None,
-        collapse: Optional[Union[bool, set]] = None,
+        collapse: Optional[Union[bool, Iterable[str]]] = None,
         collapse_inverse: Optional[bool] = None,
-        seperator: Optional[tuple[str]] = None,
+        separator: Optional[tuple[str]] = None,
         comment_prefixes: Optional[tuple[str]] = None,
         as_dict: bool = False,
     ) -> Union[ConfigurationFilesystem, ConfigurationEntry, dict]:
-        """Create a configuration entry from a file, or a ConfigurationFilesystem from a directory.
+        """Create a configuration entry from a file, or a :class:`.ConfigurationFilesystem` from a directory.
 
         If a directory is specified in ``path``, the other arguments should be provided in the ``get`` call if needed.
 
         Args:
-            path: The path to either a directory or file
-            hint: What kind of parser it should use
-            collapse: Wether it should collapse all or only certain keys.
-            seperator: What seperator should be used for the parser.
+            path: The path to either a directory or file.
+            hint: What kind of parser it should use.
+            collapse: Whether it should collapse everything or just a certain set of keys.
+            collapse_inverse: Invert the collapse function to collapse everything but the keys inside ``collapse``.
+            separator: The separator that should be used for parsing.
             comment_prefixes: What is specified as a comment.
-            as_dict: Returns the dictionary instead of an entry.
+            as_dict: Return a dictionary instead of an entry.
         """
-        return self.get(path, as_dict, hint, collapse, collapse_inverse, seperator, comment_prefixes)
+        return self.get(
+            path=path,
+            as_dict=as_dict,
+            hint=hint,
+            collapse=collapse,
+            collapse_inverse=collapse_inverse,
+            separator=separator,
+            comment_prefixes=comment_prefixes,
+        )
 
     @internal
     def get(
         self, path: Optional[Union[TargetPath, str]] = None, as_dict: bool = False, *args, **kwargs
+    ) -> Union[ConfigurationFilesystem, ConfigurationEntry, dict]:
+        if collapse := kwargs.pop("collapse", None):
+            kwargs.update({"collapse": frozenset(collapse)})
+
+        return self._get(path, as_dict, *args, **kwargs)
+
+    def _get(
+        self, path: Optional[Union[TargetPath, str]] = None, as_dict: bool = False, *args, **kwargs
     ) -> Union[ConfigurationFilesystem, ConfigurationEntry, dict]:
         if not path:
             return self.config_fs