dissect.target 3.14.dev20__py3-none-any.whl → 3.14.dev23__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dissect/target/filesystem.py +1 -1
- dissect/target/filesystems/btrfs.py +2 -2
- dissect/target/helpers/cache.py +2 -2
- dissect/target/helpers/fsutil.py +9 -6
- dissect/target/helpers/hashutil.py +1 -5
- dissect/target/loaders/log.py +2 -2
- dissect/target/loaders/smb.py +23 -13
- dissect/target/plugins/apps/av/sophos.py +1 -2
- dissect/target/plugins/apps/av/trendmicro.py +2 -3
- dissect/target/plugins/apps/browser/chromium.py +4 -11
- dissect/target/plugins/apps/browser/firefox.py +2 -6
- dissect/target/plugins/child/hyperv.py +1 -2
- dissect/target/plugins/child/vmware_workstation.py +1 -3
- dissect/target/plugins/filesystem/acquire_handles.py +2 -0
- dissect/target/plugins/filesystem/acquire_hash.py +1 -7
- dissect/target/plugins/filesystem/ntfs/usnjrnl.py +1 -2
- dissect/target/plugins/filesystem/resolver.py +1 -1
- dissect/target/plugins/filesystem/unix/capability.py +77 -66
- dissect/target/plugins/filesystem/walkfs.py +23 -19
- dissect/target/plugins/filesystem/yara.py +20 -19
- dissect/target/plugins/os/unix/_os.py +1 -3
- dissect/target/plugins/os/unix/bsd/osx/user.py +1 -3
- dissect/target/plugins/os/unix/esxi/_os.py +1 -2
- dissect/target/plugins/os/unix/log/journal.py +7 -6
- dissect/target/plugins/os/windows/_os.py +2 -1
- dissect/target/plugins/os/windows/amcache.py +9 -10
- dissect/target/plugins/os/windows/catroot.py +2 -2
- dissect/target/plugins/os/windows/generic.py +10 -11
- dissect/target/plugins/os/windows/lnk.py +5 -6
- dissect/target/plugins/os/windows/log/amcache.py +3 -5
- dissect/target/plugins/os/windows/log/pfro.py +1 -3
- dissect/target/plugins/os/windows/prefetch.py +5 -6
- dissect/target/plugins/os/windows/recyclebin.py +3 -4
- dissect/target/plugins/os/windows/regf/7zip.py +2 -4
- dissect/target/plugins/os/windows/regf/bam.py +1 -2
- dissect/target/plugins/os/windows/regf/cit.py +4 -5
- dissect/target/plugins/os/windows/regf/muicache.py +1 -3
- dissect/target/plugins/os/windows/regf/recentfilecache.py +1 -2
- dissect/target/plugins/os/windows/regf/shimcache.py +1 -2
- dissect/target/plugins/os/windows/regf/trusteddocs.py +1 -1
- dissect/target/plugins/os/windows/regf/userassist.py +1 -2
- dissect/target/plugins/os/windows/services.py +2 -4
- dissect/target/plugins/os/windows/sru.py +4 -4
- dissect/target/plugins/os/windows/startupinfo.py +5 -6
- dissect/target/plugins/os/windows/syscache.py +1 -2
- dissect/target/target.py +2 -1
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/METADATA +1 -1
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/RECORD +53 -53
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/LICENSE +0 -0
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/WHEEL +0 -0
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/top_level.txt +0 -0
|
@@ -5,7 +5,7 @@ try:
|
|
|
5
5
|
except ImportError:
|
|
6
6
|
raise ImportError("Please install 'yara-python' to use 'target-query -f yara'.")
|
|
7
7
|
|
|
8
|
-
from dissect.target.exceptions import FileNotFoundError
|
|
8
|
+
from dissect.target.exceptions import FileNotFoundError
|
|
9
9
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
10
10
|
from dissect.target.plugin import Plugin, arg, export
|
|
11
11
|
|
|
@@ -26,8 +26,7 @@ class YaraPlugin(Plugin):
|
|
|
26
26
|
DEFAULT_MAX_SIZE = 10 * 1024 * 1024
|
|
27
27
|
|
|
28
28
|
def check_compatible(self) -> None:
|
|
29
|
-
|
|
30
|
-
raise UnsupportedPluginError("No walkfs plugin found")
|
|
29
|
+
pass
|
|
31
30
|
|
|
32
31
|
@arg("--rule-files", "-r", type=Path, nargs="+", required=True, help="path to YARA rule file")
|
|
33
32
|
@arg("--scan-path", default="/", help="path to recursively scan")
|
|
@@ -43,20 +42,22 @@ class YaraPlugin(Plugin):
|
|
|
43
42
|
rule_data = "\n".join([rule_file.read_text() for rule_file in rule_files])
|
|
44
43
|
|
|
45
44
|
rules = yara.compile(source=rule_data)
|
|
46
|
-
for
|
|
47
|
-
|
|
48
|
-
|
|
45
|
+
for _, _, files in self.target.fs.walk_ext(scan_path):
|
|
46
|
+
for file_entry in files:
|
|
47
|
+
path = self.target.fs.path(file_entry.path)
|
|
48
|
+
try:
|
|
49
|
+
if path.stat().st_size > max_size:
|
|
50
|
+
continue
|
|
51
|
+
|
|
52
|
+
for match in rules.match(data=path.read_bytes()):
|
|
53
|
+
yield YaraMatchRecord(
|
|
54
|
+
path=path,
|
|
55
|
+
digest=path.get().hash(),
|
|
56
|
+
rule=match.rule,
|
|
57
|
+
tags=match.tags,
|
|
58
|
+
_target=self.target,
|
|
59
|
+
)
|
|
60
|
+
except FileNotFoundError:
|
|
49
61
|
continue
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
yield YaraMatchRecord(
|
|
53
|
-
path=entry,
|
|
54
|
-
digest=entry.get().hash(),
|
|
55
|
-
rule=match.rule,
|
|
56
|
-
tags=match.tags,
|
|
57
|
-
_target=self.target,
|
|
58
|
-
)
|
|
59
|
-
except FileNotFoundError:
|
|
60
|
-
continue
|
|
61
|
-
except Exception:
|
|
62
|
-
self.target.log.exception("Error scanning file: %s", entry)
|
|
62
|
+
except Exception:
|
|
63
|
+
self.target.log.exception("Error scanning file: %s", path)
|
|
@@ -6,8 +6,6 @@ import uuid
|
|
|
6
6
|
from struct import unpack
|
|
7
7
|
from typing import Iterator, Optional, Union
|
|
8
8
|
|
|
9
|
-
from flow.record.fieldtypes import posix_path
|
|
10
|
-
|
|
11
9
|
from dissect.target.filesystem import Filesystem
|
|
12
10
|
from dissect.target.helpers.fsutil import TargetPath
|
|
13
11
|
from dissect.target.helpers.record import UnixUserRecord
|
|
@@ -62,7 +60,7 @@ class UnixPlugin(OSPlugin):
|
|
|
62
60
|
uid=pwent.get(2),
|
|
63
61
|
gid=pwent.get(3),
|
|
64
62
|
gecos=pwent.get(4),
|
|
65
|
-
home=
|
|
63
|
+
home=self.target.fs.path(pwent.get(5)),
|
|
66
64
|
shell=pwent.get(6),
|
|
67
65
|
source=passwd_file,
|
|
68
66
|
_target=self.target,
|
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
import plistlib
|
|
2
2
|
from typing import Iterator
|
|
3
3
|
|
|
4
|
-
from flow.record.fieldtypes import posix_path
|
|
5
|
-
|
|
6
4
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
7
5
|
from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
|
|
8
6
|
from dissect.target.helpers.record import create_extended_descriptor
|
|
@@ -49,7 +47,7 @@ class UserPlugin(Plugin):
|
|
|
49
47
|
password_last_time=account_policy.get("passwordLastSetTime"),
|
|
50
48
|
failed_login_count=account_policy.get("failedLoginCount"),
|
|
51
49
|
failed_login_time=account_policy.get("failedLoginTimestamp"),
|
|
52
|
-
source=
|
|
50
|
+
source=self.target.fs.path(user_details.user.source),
|
|
53
51
|
_user=user_details.user,
|
|
54
52
|
_target=self.target,
|
|
55
53
|
)
|
|
@@ -12,7 +12,6 @@ from typing import Any, BinaryIO, Iterator, Optional, TextIO
|
|
|
12
12
|
from defusedxml import ElementTree
|
|
13
13
|
from dissect.hypervisor.util import vmtar
|
|
14
14
|
from dissect.sql import sqlite3
|
|
15
|
-
from flow.record.fieldtypes import path
|
|
16
15
|
|
|
17
16
|
try:
|
|
18
17
|
from dissect.hypervisor.util.envelope import Envelope, KeyStore
|
|
@@ -159,7 +158,7 @@ class ESXiPlugin(UnixPlugin):
|
|
|
159
158
|
root = ElementTree.fromstring(inv_file.read_text("utf-8"))
|
|
160
159
|
for entry in root.iter("ConfigEntry"):
|
|
161
160
|
yield VirtualMachineRecord(
|
|
162
|
-
path=path
|
|
161
|
+
path=self.target.fs.path(entry.findtext("vmxCfgPath")),
|
|
163
162
|
_target=self.target,
|
|
164
163
|
)
|
|
165
164
|
|
|
@@ -5,7 +5,6 @@ import zstandard
|
|
|
5
5
|
from dissect.cstruct import Instance, cstruct
|
|
6
6
|
from dissect.util import ts
|
|
7
7
|
from dissect.util.compression import lz4
|
|
8
|
-
from flow.record.fieldtypes import path
|
|
9
8
|
|
|
10
9
|
from dissect.target import Target
|
|
11
10
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
@@ -394,6 +393,8 @@ class JournalPlugin(Plugin):
|
|
|
394
393
|
- https://github.com/systemd/systemd/blob/9203abf79f1d05fdef9b039e7addf9fc5a27752d/man/systemd.journal-fields.xml
|
|
395
394
|
""" # noqa: E501
|
|
396
395
|
|
|
396
|
+
path_function = self.target.fs.path
|
|
397
|
+
|
|
397
398
|
for _path in self.journal_paths:
|
|
398
399
|
fh = _path.open()
|
|
399
400
|
|
|
@@ -409,7 +410,7 @@ class JournalPlugin(Plugin):
|
|
|
409
410
|
message=entry.get("message"),
|
|
410
411
|
message_id=entry.get("message_id"),
|
|
411
412
|
priority=get_optional(entry.get("priority"), int),
|
|
412
|
-
code_file=get_optional(entry.get("code_file"),
|
|
413
|
+
code_file=get_optional(entry.get("code_file"), path_function),
|
|
413
414
|
code_line=get_optional(entry.get("code_line"), int),
|
|
414
415
|
code_func=entry.get("code_func"),
|
|
415
416
|
errno=get_optional(entry.get("errno"), int),
|
|
@@ -427,12 +428,12 @@ class JournalPlugin(Plugin):
|
|
|
427
428
|
uid=get_optional(entry.get("uid"), int),
|
|
428
429
|
gid=get_optional(entry.get("gid"), int),
|
|
429
430
|
comm=entry.get("comm"),
|
|
430
|
-
exe=get_optional(entry.get("exe"),
|
|
431
|
+
exe=get_optional(entry.get("exe"), path_function),
|
|
431
432
|
cmdline=entry.get("cmdline"),
|
|
432
433
|
cap_effective=entry.get("cap_effective"),
|
|
433
434
|
audit_session=get_optional(entry.get("audit_session"), int),
|
|
434
435
|
audit_loginuid=get_optional(entry.get("audit_loginuid"), int),
|
|
435
|
-
systemd_cgroup=get_optional(entry.get("systemd_cgroup"),
|
|
436
|
+
systemd_cgroup=get_optional(entry.get("systemd_cgroup"), path_function),
|
|
436
437
|
systemd_slice=entry.get("systemd_slice"),
|
|
437
438
|
systemd_unit=entry.get("systemd_unit"),
|
|
438
439
|
systemd_user_unit=entry.get("systemd_user_unit"),
|
|
@@ -451,8 +452,8 @@ class JournalPlugin(Plugin):
|
|
|
451
452
|
kernel_device=entry.get("kernel_device"),
|
|
452
453
|
kernel_subsystem=entry.get("kernel_subsystem"),
|
|
453
454
|
udev_sysname=entry.get("udev_sysname"),
|
|
454
|
-
udev_devnode=get_optional(entry.get("udev_devnode"),
|
|
455
|
-
udev_devlink=get_optional(entry.get("udev_devlink"),
|
|
455
|
+
udev_devnode=get_optional(entry.get("udev_devnode"), path_function),
|
|
456
|
+
udev_devlink=get_optional(entry.get("udev_devlink"), path_function),
|
|
456
457
|
journal_hostname=entry.get("hostname"),
|
|
457
458
|
filepath=_path,
|
|
458
459
|
_target=self.target,
|
|
@@ -77,7 +77,8 @@ class WindowsPlugin(OSPlugin):
|
|
|
77
77
|
self.target.fs.mount(drive, volume.fs)
|
|
78
78
|
break
|
|
79
79
|
except Exception as e:
|
|
80
|
-
self.target.log.warning("Failed to map drive letters"
|
|
80
|
+
self.target.log.warning("Failed to map drive letters")
|
|
81
|
+
self.target.log.debug("", exc_info=e)
|
|
81
82
|
|
|
82
83
|
@export(property=True)
|
|
83
84
|
def hostname(self) -> Optional[str]:
|
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
from datetime import datetime, timezone
|
|
2
2
|
|
|
3
3
|
from dissect.util.ts import wintimestamp
|
|
4
|
-
from flow.record.fieldtypes import path
|
|
5
4
|
|
|
6
5
|
from dissect.target.exceptions import RegistryKeyNotFoundError, UnsupportedPluginError
|
|
7
6
|
from dissect.target.helpers import regutil
|
|
@@ -220,7 +219,7 @@ class AmcachePluginOldMixin:
|
|
|
220
219
|
created_timestamp=parse_win_timestamp(subkey_data.get("created_timestamp")),
|
|
221
220
|
mtime_regf=subkey.timestamp,
|
|
222
221
|
reference=int(subkey.name, 16),
|
|
223
|
-
path=path
|
|
222
|
+
path=self.target.fs.path(subkey_data["full_path"]) if subkey_data.get("full_path") else None,
|
|
224
223
|
language_code=subkey_data.get("language_code"),
|
|
225
224
|
digests=[None, subkey_data["sha1"][-40:] if subkey_data.get("sha1") else None, None],
|
|
226
225
|
program_id=subkey_data.get("program_id"),
|
|
@@ -265,7 +264,7 @@ class AmcachePluginOldMixin:
|
|
|
265
264
|
language_code=entry_data.get("LanguageCode"),
|
|
266
265
|
entry_type=entry_data.get("EntryType"),
|
|
267
266
|
uninstall_key=entry_data.get("UninstallKey"),
|
|
268
|
-
path=path
|
|
267
|
+
path=self.target.fs.path(file_path_entry),
|
|
269
268
|
product_code=entry_data.get("ProductCode"),
|
|
270
269
|
package_code=entry_data.get("PackageCode"),
|
|
271
270
|
msi_package_code=entry_data.get("MsiPackageCode"),
|
|
@@ -284,7 +283,7 @@ class AmcachePluginOldMixin:
|
|
|
284
283
|
language_code=entry_data.get("LanguageCode"),
|
|
285
284
|
entry_type=entry_data.get("EntryType"),
|
|
286
285
|
uninstall_key=entry_data.get("UninstallKey"),
|
|
287
|
-
path=path
|
|
286
|
+
path=self.target.fs.path(file_entry),
|
|
288
287
|
product_code=entry_data.get("ProductCode"),
|
|
289
288
|
package_code=entry_data.get("PackageCode"),
|
|
290
289
|
msi_package_code=entry_data.get("MsiPackageCode"),
|
|
@@ -416,7 +415,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
|
|
|
416
415
|
program_instance_id=entry_data.get("ProgramInstanceId"),
|
|
417
416
|
publisher=entry_data.get("Publisher"),
|
|
418
417
|
registry_key_path=entry_data.get("RegistryKeyPath"),
|
|
419
|
-
root_dir_path=path
|
|
418
|
+
root_dir_path=self.target.fs.path(entry_data.get("RootDirPath")),
|
|
420
419
|
source=entry_data.get("Source"),
|
|
421
420
|
uninstall_string=entry_data.get("UninstallString"),
|
|
422
421
|
type=entry_data.get("Type"),
|
|
@@ -467,7 +466,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
|
|
|
467
466
|
mtime_regf=entry.timestamp,
|
|
468
467
|
program_id=entry_data.get("ProgramId"),
|
|
469
468
|
digests=[None, sha1_digest, None],
|
|
470
|
-
path=path
|
|
469
|
+
path=self.target.fs.path(entry_data.get("LowerCaseLongPath")),
|
|
471
470
|
link_date=parse_win_datetime(entry_data.get("LinkDate")),
|
|
472
471
|
hash_path=entry_data.get("LongPathHash"),
|
|
473
472
|
name=entry_data.get("Name"),
|
|
@@ -492,8 +491,8 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
|
|
|
492
491
|
|
|
493
492
|
yield BinaryAppcompatRecord(
|
|
494
493
|
mtime_regf=entry.timestamp,
|
|
495
|
-
driver_name=path
|
|
496
|
-
inf=path
|
|
494
|
+
driver_name=self.target.fs.path(entry_data.get("DriverName")),
|
|
495
|
+
inf=self.target.fs.path(entry_data.get("Inf")),
|
|
497
496
|
driver_version=entry_data.get("DriverVersion"),
|
|
498
497
|
product=entry_data.get("Product"),
|
|
499
498
|
product_version=entry_data.get("ProductVersion"),
|
|
@@ -515,7 +514,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
|
|
|
515
514
|
for entry in self.read_key_subkeys(key):
|
|
516
515
|
yield ShortcutAppcompatRecord(
|
|
517
516
|
mtime_regf=entry.timestamp,
|
|
518
|
-
path=path
|
|
517
|
+
path=self.target.fs.path(entry.value("ShortCutPath").value),
|
|
519
518
|
_target=self.target,
|
|
520
519
|
)
|
|
521
520
|
|
|
@@ -637,7 +636,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
|
|
|
637
636
|
parts = line.rstrip().split("|")
|
|
638
637
|
yield AppLaunchAppcompatRecord(
|
|
639
638
|
ts=datetime.strptime(parts[-1], "%Y-%m-%d %H:%M:%S.%f").replace(tzinfo=timezone.utc),
|
|
640
|
-
path=path
|
|
639
|
+
path=self.target.fs.path(parts[0]),
|
|
641
640
|
_target=self.target,
|
|
642
641
|
)
|
|
643
642
|
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
from asn1crypto import algos, core
|
|
2
|
-
from flow.record.fieldtypes import digest
|
|
2
|
+
from flow.record.fieldtypes import digest
|
|
3
3
|
|
|
4
4
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
5
5
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -118,7 +118,7 @@ class CatrootPlugin(Plugin):
|
|
|
118
118
|
|
|
119
119
|
yield CatrootRecord(
|
|
120
120
|
digest=fdigest,
|
|
121
|
-
hint=path
|
|
121
|
+
hint=self.target.fs.path(filehint) if filehint else None,
|
|
122
122
|
source=f,
|
|
123
123
|
_target=self.target,
|
|
124
124
|
)
|
|
@@ -2,7 +2,6 @@ from datetime import datetime
|
|
|
2
2
|
from typing import Optional
|
|
3
3
|
|
|
4
4
|
from dissect.util.ts import from_unix
|
|
5
|
-
from flow.record.fieldtypes import path
|
|
6
5
|
|
|
7
6
|
from dissect.target.exceptions import RegistryError, UnsupportedPluginError
|
|
8
7
|
from dissect.target.helpers.descriptor_extensions import (
|
|
@@ -250,7 +249,7 @@ class GenericPlugin(Plugin):
|
|
|
250
249
|
value = r.value(name)
|
|
251
250
|
yield AppInitRecord(
|
|
252
251
|
ts=r.ts,
|
|
253
|
-
path=path
|
|
252
|
+
path=self.target.fs.path(value.value),
|
|
254
253
|
_target=self.target,
|
|
255
254
|
_user=user,
|
|
256
255
|
_key=r,
|
|
@@ -279,7 +278,7 @@ class GenericPlugin(Plugin):
|
|
|
279
278
|
for value in r.values():
|
|
280
279
|
yield KnownDllRecord(
|
|
281
280
|
ts=r.ts,
|
|
282
|
-
path=path
|
|
281
|
+
path=self.target.fs.path(value.value),
|
|
283
282
|
_target=self.target,
|
|
284
283
|
_user=user,
|
|
285
284
|
_key=r,
|
|
@@ -325,7 +324,7 @@ class GenericPlugin(Plugin):
|
|
|
325
324
|
|
|
326
325
|
yield SessionManagerRecord(
|
|
327
326
|
ts=r.ts,
|
|
328
|
-
path=path
|
|
327
|
+
path=self.target.fs.path(d),
|
|
329
328
|
_target=self.target,
|
|
330
329
|
_user=user,
|
|
331
330
|
_key=r,
|
|
@@ -333,7 +332,7 @@ class GenericPlugin(Plugin):
|
|
|
333
332
|
else:
|
|
334
333
|
yield SessionManagerRecord(
|
|
335
334
|
ts=r.ts,
|
|
336
|
-
path=path
|
|
335
|
+
path=self.target.fs.path(data.split(" ")[0]),
|
|
337
336
|
_target=self.target,
|
|
338
337
|
_user=user,
|
|
339
338
|
_key=r,
|
|
@@ -427,7 +426,7 @@ class GenericPlugin(Plugin):
|
|
|
427
426
|
value = r.value(name)
|
|
428
427
|
yield CommandProcAutoRunRecord(
|
|
429
428
|
ts=r.ts,
|
|
430
|
-
path=path
|
|
429
|
+
path=self.target.fs.path(value.value),
|
|
431
430
|
_target=self.target,
|
|
432
431
|
_user=user,
|
|
433
432
|
_key=r,
|
|
@@ -453,7 +452,7 @@ class GenericPlugin(Plugin):
|
|
|
453
452
|
value = r.value("AlternateShell")
|
|
454
453
|
yield AlternateShellRecord(
|
|
455
454
|
ts=r.ts,
|
|
456
|
-
path=path
|
|
455
|
+
path=self.target.fs.path(value.value),
|
|
457
456
|
_target=self.target,
|
|
458
457
|
_user=user,
|
|
459
458
|
_key=r,
|
|
@@ -477,7 +476,7 @@ class GenericPlugin(Plugin):
|
|
|
477
476
|
|
|
478
477
|
yield BootShellRecord(
|
|
479
478
|
ts=r.ts,
|
|
480
|
-
path=path
|
|
479
|
+
path=self.target.fs.path(value.value),
|
|
481
480
|
_target=self.target,
|
|
482
481
|
_user=user,
|
|
483
482
|
_key=r,
|
|
@@ -500,7 +499,7 @@ class GenericPlugin(Plugin):
|
|
|
500
499
|
user = self.target.registry.get_user(r)
|
|
501
500
|
try:
|
|
502
501
|
value = r.value("PendingFileRenameOperations")
|
|
503
|
-
paths = map(path
|
|
502
|
+
paths = map(self.target.fs.path, value.value)
|
|
504
503
|
except RegistryError:
|
|
505
504
|
continue
|
|
506
505
|
|
|
@@ -528,7 +527,7 @@ class GenericPlugin(Plugin):
|
|
|
528
527
|
for v in r.values():
|
|
529
528
|
yield WinRarRecord(
|
|
530
529
|
ts=r.ts,
|
|
531
|
-
path=path
|
|
530
|
+
path=self.target.fs.path(v.value),
|
|
532
531
|
_target=self.target,
|
|
533
532
|
_user=user,
|
|
534
533
|
_key=r,
|
|
@@ -552,7 +551,7 @@ class GenericPlugin(Plugin):
|
|
|
552
551
|
for s in r.subkeys():
|
|
553
552
|
yield WinSockNamespaceProviderRecord(
|
|
554
553
|
ts=r.ts,
|
|
555
|
-
librarypath=path
|
|
554
|
+
librarypath=self.target.fs.path(s.value("LibraryPath").value),
|
|
556
555
|
displaystring=s.value("DisplayString").value,
|
|
557
556
|
providerid=s.value("ProviderID").value,
|
|
558
557
|
enabled=s.value("Enabled").value,
|
|
@@ -2,7 +2,6 @@ from typing import Iterator, Optional
|
|
|
2
2
|
|
|
3
3
|
from dissect.shellitem.lnk import Lnk
|
|
4
4
|
from dissect.util import ts
|
|
5
|
-
from flow.record.fieldtypes import path
|
|
6
5
|
|
|
7
6
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
8
7
|
from dissect.target.helpers.fsutil import TargetPath
|
|
@@ -88,17 +87,17 @@ class LnkPlugin(Plugin):
|
|
|
88
87
|
lnk_ctime = ts.from_unix(entry.stat().st_ctime)
|
|
89
88
|
|
|
90
89
|
lnk_relativepath = (
|
|
91
|
-
path
|
|
90
|
+
self.target.fs.path(lnk_file.stringdata.relative_path.string)
|
|
92
91
|
if lnk_file.flag("has_relative_path")
|
|
93
92
|
else None
|
|
94
93
|
)
|
|
95
94
|
lnk_workdir = (
|
|
96
|
-
path
|
|
95
|
+
self.target.fs.path(lnk_file.stringdata.working_dir.string)
|
|
97
96
|
if lnk_file.flag("has_working_dir")
|
|
98
97
|
else None
|
|
99
98
|
)
|
|
100
99
|
lnk_iconlocation = (
|
|
101
|
-
path
|
|
100
|
+
self.target.fs.path(lnk_file.stringdata.icon_location.string)
|
|
102
101
|
if lnk_file.flag("has_icon_location")
|
|
103
102
|
else None
|
|
104
103
|
)
|
|
@@ -115,9 +114,9 @@ class LnkPlugin(Plugin):
|
|
|
115
114
|
)
|
|
116
115
|
|
|
117
116
|
if local_base_path and common_path_suffix:
|
|
118
|
-
lnk_full_path = path
|
|
117
|
+
lnk_full_path = self.target.fs.path(local_base_path + common_path_suffix)
|
|
119
118
|
elif local_base_path and not common_path_suffix:
|
|
120
|
-
lnk_full_path = path
|
|
119
|
+
lnk_full_path = self.target.fs.path(local_base_path)
|
|
121
120
|
else:
|
|
122
121
|
lnk_full_path = None
|
|
123
122
|
|
|
@@ -4,8 +4,6 @@ import re
|
|
|
4
4
|
from datetime import datetime
|
|
5
5
|
from typing import TYPE_CHECKING, Iterator, Union
|
|
6
6
|
|
|
7
|
-
from flow.record.fieldtypes import path
|
|
8
|
-
|
|
9
7
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
10
8
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
11
9
|
from dissect.target.plugin import Plugin, export
|
|
@@ -78,9 +76,9 @@ def create_record(
|
|
|
78
76
|
modified=_to_log_timestamp(install_properties.get("modified")),
|
|
79
77
|
access=_to_log_timestamp(install_properties.get("lastaccessed")),
|
|
80
78
|
link_date=_to_log_timestamp(install_properties.get("linkdate")),
|
|
81
|
-
path=path
|
|
82
|
-
filename=path
|
|
83
|
-
create=path
|
|
79
|
+
path=target.fs.path(install_properties.get("path")),
|
|
80
|
+
filename=target.fs.path(filename),
|
|
81
|
+
create=target.fs.path(create),
|
|
84
82
|
size_of_image=install_properties.get("sizeofimage"),
|
|
85
83
|
file_description=install_properties.get("filedescription"),
|
|
86
84
|
size=install_properties.get("size"),
|
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
import datetime
|
|
2
2
|
import re
|
|
3
3
|
|
|
4
|
-
from flow.record.fieldtypes import path
|
|
5
|
-
|
|
6
4
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
7
5
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
8
6
|
from dissect.target.plugin import Plugin, export
|
|
@@ -70,7 +68,7 @@ class PfroPlugin(Plugin):
|
|
|
70
68
|
|
|
71
69
|
yield PfroRecord(
|
|
72
70
|
ts=datetime.datetime.strptime(date, "%m/%d/%Y %H:%M:%S"),
|
|
73
|
-
path=path
|
|
71
|
+
path=self.target.fs.path(file_path),
|
|
74
72
|
operation=operation,
|
|
75
73
|
_target=self.target,
|
|
76
74
|
)
|
|
@@ -3,7 +3,6 @@ from io import BytesIO
|
|
|
3
3
|
from dissect import cstruct
|
|
4
4
|
from dissect.util import lzxpress_huffman
|
|
5
5
|
from dissect.util.ts import wintimestamp
|
|
6
|
-
from flow.record.fieldtypes import path
|
|
7
6
|
|
|
8
7
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
9
8
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -212,7 +211,7 @@ class Prefetch:
|
|
|
212
211
|
self.fn.filename_strings_offset + entry.filename_string_offset,
|
|
213
212
|
entry.filename_string_number_of_characters,
|
|
214
213
|
)
|
|
215
|
-
metrics.append(
|
|
214
|
+
metrics.append(filename.decode("utf-16-le"))
|
|
216
215
|
return metrics
|
|
217
216
|
|
|
218
217
|
def read_filename(self, off, size):
|
|
@@ -290,15 +289,15 @@ class PrefetchPlugin(Plugin):
|
|
|
290
289
|
self.target.log.warning("Failed to parse prefetch file: %s", entry, exc_info=e)
|
|
291
290
|
continue
|
|
292
291
|
|
|
293
|
-
filename = path
|
|
294
|
-
entry_name = path
|
|
292
|
+
filename = self.target.fs.path(scca.header.name.decode("utf-16-le", errors="ignore").split("\x00")[0])
|
|
293
|
+
entry_name = self.target.fs.path(entry.name)
|
|
295
294
|
|
|
296
295
|
if grouped:
|
|
297
296
|
yield GroupedPrefetchRecord(
|
|
298
297
|
ts=scca.latest_timestamp,
|
|
299
298
|
filename=filename,
|
|
300
299
|
prefetch=entry_name,
|
|
301
|
-
linkedfiles=list(map(path
|
|
300
|
+
linkedfiles=list(map(self.target.fs.path, scca.metrics)),
|
|
302
301
|
runcount=scca.fn.run_count,
|
|
303
302
|
previousruns=scca.previous_timestamps,
|
|
304
303
|
_target=self.target,
|
|
@@ -311,7 +310,7 @@ class PrefetchPlugin(Plugin):
|
|
|
311
310
|
ts=date,
|
|
312
311
|
filename=filename,
|
|
313
312
|
prefetch=entry_name,
|
|
314
|
-
linkedfile=path
|
|
313
|
+
linkedfile=self.target.fs.path(linked_file),
|
|
315
314
|
runcount=scca.fn.run_count,
|
|
316
315
|
_target=self.target,
|
|
317
316
|
)
|
|
@@ -2,7 +2,6 @@ from typing import Generator
|
|
|
2
2
|
|
|
3
3
|
from dissect import cstruct
|
|
4
4
|
from dissect.util.ts import wintimestamp
|
|
5
|
-
from flow.record.fieldtypes import path
|
|
6
5
|
|
|
7
6
|
from dissect.target import Target
|
|
8
7
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
@@ -115,10 +114,10 @@ class RecyclebinPlugin(Plugin):
|
|
|
115
114
|
|
|
116
115
|
return RecycleBinRecord(
|
|
117
116
|
ts=wintimestamp(entry.timestamp),
|
|
118
|
-
path=path
|
|
119
|
-
source=path
|
|
117
|
+
path=self.target.fs.path(entry.filename.rstrip("\x00")),
|
|
118
|
+
source=self.target.fs.path(source_path),
|
|
120
119
|
filesize=entry.file_size,
|
|
121
|
-
deleted_path=path
|
|
120
|
+
deleted_path=self.target.fs.path(deleted_path),
|
|
122
121
|
_target=self.target,
|
|
123
122
|
_user=user,
|
|
124
123
|
)
|
|
@@ -1,5 +1,3 @@
|
|
|
1
|
-
from flow.record.fieldtypes import path
|
|
2
|
-
|
|
3
1
|
from dissect.target.exceptions import RegistryError, UnsupportedPluginError
|
|
4
2
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
5
3
|
from dissect.target.plugin import Plugin, export
|
|
@@ -66,7 +64,7 @@ class SevenZipPlugin(Plugin):
|
|
|
66
64
|
|
|
67
65
|
yield record(
|
|
68
66
|
ts=subkey.ts,
|
|
69
|
-
path=path
|
|
67
|
+
path=self.target.fs.path(file_path),
|
|
70
68
|
_target=self.target,
|
|
71
69
|
)
|
|
72
70
|
except RegistryError:
|
|
@@ -90,7 +88,7 @@ class SevenZipPlugin(Plugin):
|
|
|
90
88
|
value = subkey.value("PanelPath0").value
|
|
91
89
|
yield PanelPathRecord(
|
|
92
90
|
ts=subkey.ts,
|
|
93
|
-
path=path
|
|
91
|
+
path=self.target.fs.path(value),
|
|
94
92
|
_target=self.target,
|
|
95
93
|
)
|
|
96
94
|
except RegistryError:
|
|
@@ -1,6 +1,5 @@
|
|
|
1
1
|
from dissect.cstruct import cstruct
|
|
2
2
|
from dissect.util.ts import wintimestamp
|
|
3
|
-
from flow.record.fieldtypes import path
|
|
4
3
|
|
|
5
4
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
6
5
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -57,6 +56,6 @@ class BamDamPlugin(Plugin):
|
|
|
57
56
|
data = c_bam.entry(entry.value)
|
|
58
57
|
yield BamDamRecord(
|
|
59
58
|
ts=wintimestamp(data.ts),
|
|
60
|
-
path=path
|
|
59
|
+
path=self.target.fs.path(entry.name),
|
|
61
60
|
_target=self.target,
|
|
62
61
|
)
|
|
@@ -11,7 +11,6 @@ from io import BytesIO
|
|
|
11
11
|
from dissect.cstruct import cstruct
|
|
12
12
|
from dissect.util.compression import lznt1
|
|
13
13
|
from dissect.util.ts import wintimestamp
|
|
14
|
-
from flow.record.fieldtypes import path
|
|
15
14
|
|
|
16
15
|
from dissect.target.exceptions import RegistryValueNotFoundError, UnsupportedPluginError
|
|
17
16
|
from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
|
|
@@ -735,7 +734,7 @@ class CITPlugin(Plugin):
|
|
|
735
734
|
start_time=local_wintimestamp(self.target, cit.header.StartTimeLocal),
|
|
736
735
|
current_time=local_wintimestamp(self.target, cit.header.CurrentTimeLocal),
|
|
737
736
|
aggregation_period_in_s=cit.header.AggregationPeriodInS,
|
|
738
|
-
path=path
|
|
737
|
+
path=self.target.fs.path(entry.file_path),
|
|
739
738
|
command_line=entry.command_line,
|
|
740
739
|
pe_timedatestamp=program_data.PeTimeDateStamp,
|
|
741
740
|
pe_checksum=program_data.PeCheckSum,
|
|
@@ -895,7 +894,7 @@ class CITPlugin(Plugin):
|
|
|
895
894
|
yield CITTelemetryRecord(
|
|
896
895
|
regf_mtime=version_key.ts,
|
|
897
896
|
version=version_key.name,
|
|
898
|
-
path=path
|
|
897
|
+
path=self.target.fs.path(value.name),
|
|
899
898
|
value=str(c_cit.TELEMETRY_ANSWERS(value.value)).split(".")[1],
|
|
900
899
|
_target=self.target,
|
|
901
900
|
)
|
|
@@ -941,8 +940,8 @@ class CITPlugin(Plugin):
|
|
|
941
940
|
yield CITModuleRecord(
|
|
942
941
|
last_loaded=wintimestamp(value.value),
|
|
943
942
|
regf_mtime=monitored_dll.ts,
|
|
944
|
-
tracked_module=path
|
|
945
|
-
executable=path
|
|
943
|
+
tracked_module=self.target.fs.path(monitored_dll.name),
|
|
944
|
+
executable=self.target.fs.path(value.name),
|
|
946
945
|
# These are actually specific for the tracked module, but just include them in every record
|
|
947
946
|
overflow_quota=overflow_quota,
|
|
948
947
|
overflow_value=overflow_value,
|
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
from typing import Generator
|
|
2
2
|
|
|
3
|
-
from flow.record.fieldtypes import path
|
|
4
|
-
|
|
5
3
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
6
4
|
from dissect.target.helpers.descriptor_extensions import (
|
|
7
5
|
RegistryRecordDescriptorExtension,
|
|
@@ -84,7 +82,7 @@ class MuiCachePlugin(Plugin):
|
|
|
84
82
|
index=index,
|
|
85
83
|
name=name,
|
|
86
84
|
value=entry.value,
|
|
87
|
-
path=path
|
|
85
|
+
path=self.target.fs.path(entry_path),
|
|
88
86
|
_target=self.target,
|
|
89
87
|
_key=key,
|
|
90
88
|
_user=user,
|
|
@@ -1,5 +1,4 @@
|
|
|
1
1
|
from dissect import cstruct
|
|
2
|
-
from flow.record.fieldtypes import path
|
|
3
2
|
|
|
4
3
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
5
4
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -59,7 +58,7 @@ class RecentFileCachePlugin(Plugin):
|
|
|
59
58
|
entry.path = entry.path.rstrip("\x00")
|
|
60
59
|
|
|
61
60
|
yield RecentFileCacheRecord(
|
|
62
|
-
path=path
|
|
61
|
+
path=self.target.fs.path(entry.path),
|
|
63
62
|
_target=self.target,
|
|
64
63
|
)
|
|
65
64
|
except EOFError:
|
|
@@ -6,7 +6,6 @@ from typing import Callable, Generator, Optional, Tuple, Union
|
|
|
6
6
|
|
|
7
7
|
from dissect.cstruct import Structure, cstruct
|
|
8
8
|
from dissect.util.ts import wintimestamp
|
|
9
|
-
from flow.record.fieldtypes import path
|
|
10
9
|
|
|
11
10
|
from dissect.target.exceptions import Error, RegistryError, UnsupportedPluginError
|
|
12
11
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -358,6 +357,6 @@ class ShimcachePlugin(Plugin):
|
|
|
358
357
|
last_modified=ts,
|
|
359
358
|
name=name,
|
|
360
359
|
index=index,
|
|
361
|
-
path=path
|
|
360
|
+
path=self.target.fs.path(self.target.resolve(file_path)),
|
|
362
361
|
_target=self.target,
|
|
363
362
|
)
|
|
@@ -73,7 +73,7 @@ class TrustedDocumentsPlugin(Plugin):
|
|
|
73
73
|
ts=key.ts,
|
|
74
74
|
type=value.type,
|
|
75
75
|
application=application,
|
|
76
|
-
document_path=self.target.resolve(value.name),
|
|
76
|
+
document_path=self.target.fs.path(self.target.resolve(value.name)),
|
|
77
77
|
value=value.value,
|
|
78
78
|
_key=key,
|
|
79
79
|
_user=user,
|