dissect.target 3.14.dev20__py3-none-any.whl → 3.14.dev23__py3-none-any.whl
Sign up to get free protection for your applications and to get access to all the features.
- dissect/target/filesystem.py +1 -1
- dissect/target/filesystems/btrfs.py +2 -2
- dissect/target/helpers/cache.py +2 -2
- dissect/target/helpers/fsutil.py +9 -6
- dissect/target/helpers/hashutil.py +1 -5
- dissect/target/loaders/log.py +2 -2
- dissect/target/loaders/smb.py +23 -13
- dissect/target/plugins/apps/av/sophos.py +1 -2
- dissect/target/plugins/apps/av/trendmicro.py +2 -3
- dissect/target/plugins/apps/browser/chromium.py +4 -11
- dissect/target/plugins/apps/browser/firefox.py +2 -6
- dissect/target/plugins/child/hyperv.py +1 -2
- dissect/target/plugins/child/vmware_workstation.py +1 -3
- dissect/target/plugins/filesystem/acquire_handles.py +2 -0
- dissect/target/plugins/filesystem/acquire_hash.py +1 -7
- dissect/target/plugins/filesystem/ntfs/usnjrnl.py +1 -2
- dissect/target/plugins/filesystem/resolver.py +1 -1
- dissect/target/plugins/filesystem/unix/capability.py +77 -66
- dissect/target/plugins/filesystem/walkfs.py +23 -19
- dissect/target/plugins/filesystem/yara.py +20 -19
- dissect/target/plugins/os/unix/_os.py +1 -3
- dissect/target/plugins/os/unix/bsd/osx/user.py +1 -3
- dissect/target/plugins/os/unix/esxi/_os.py +1 -2
- dissect/target/plugins/os/unix/log/journal.py +7 -6
- dissect/target/plugins/os/windows/_os.py +2 -1
- dissect/target/plugins/os/windows/amcache.py +9 -10
- dissect/target/plugins/os/windows/catroot.py +2 -2
- dissect/target/plugins/os/windows/generic.py +10 -11
- dissect/target/plugins/os/windows/lnk.py +5 -6
- dissect/target/plugins/os/windows/log/amcache.py +3 -5
- dissect/target/plugins/os/windows/log/pfro.py +1 -3
- dissect/target/plugins/os/windows/prefetch.py +5 -6
- dissect/target/plugins/os/windows/recyclebin.py +3 -4
- dissect/target/plugins/os/windows/regf/7zip.py +2 -4
- dissect/target/plugins/os/windows/regf/bam.py +1 -2
- dissect/target/plugins/os/windows/regf/cit.py +4 -5
- dissect/target/plugins/os/windows/regf/muicache.py +1 -3
- dissect/target/plugins/os/windows/regf/recentfilecache.py +1 -2
- dissect/target/plugins/os/windows/regf/shimcache.py +1 -2
- dissect/target/plugins/os/windows/regf/trusteddocs.py +1 -1
- dissect/target/plugins/os/windows/regf/userassist.py +1 -2
- dissect/target/plugins/os/windows/services.py +2 -4
- dissect/target/plugins/os/windows/sru.py +4 -4
- dissect/target/plugins/os/windows/startupinfo.py +5 -6
- dissect/target/plugins/os/windows/syscache.py +1 -2
- dissect/target/target.py +2 -1
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/METADATA +1 -1
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/RECORD +53 -53
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/LICENSE +0 -0
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/WHEEL +0 -0
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.14.dev20.dist-info → dissect.target-3.14.dev23.dist-info}/top_level.txt +0 -0
|
@@ -5,7 +5,7 @@ try:
|
|
|
5
5
|
except ImportError:
|
|
6
6
|
raise ImportError("Please install 'yara-python' to use 'target-query -f yara'.")
|
|
7
7
|
|
|
8
|
-
from dissect.target.exceptions import FileNotFoundError
|
|
8
|
+
from dissect.target.exceptions import FileNotFoundError
|
|
9
9
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
10
10
|
from dissect.target.plugin import Plugin, arg, export
|
|
11
11
|
|
|
@@ -26,8 +26,7 @@ class YaraPlugin(Plugin):
|
|
|
26
26
|
DEFAULT_MAX_SIZE = 10 * 1024 * 1024
|
|
27
27
|
|
|
28
28
|
def check_compatible(self) -> None:
|
|
29
|
-
|
|
30
|
-
raise UnsupportedPluginError("No walkfs plugin found")
|
|
29
|
+
pass
|
|
31
30
|
|
|
32
31
|
@arg("--rule-files", "-r", type=Path, nargs="+", required=True, help="path to YARA rule file")
|
|
33
32
|
@arg("--scan-path", default="/", help="path to recursively scan")
|
|
@@ -43,20 +42,22 @@ class YaraPlugin(Plugin):
|
|
|
43
42
|
rule_data = "\n".join([rule_file.read_text() for rule_file in rule_files])
|
|
44
43
|
|
|
45
44
|
rules = yara.compile(source=rule_data)
|
|
46
|
-
for
|
|
47
|
-
|
|
48
|
-
|
|
45
|
+
for _, _, files in self.target.fs.walk_ext(scan_path):
|
|
46
|
+
for file_entry in files:
|
|
47
|
+
path = self.target.fs.path(file_entry.path)
|
|
48
|
+
try:
|
|
49
|
+
if path.stat().st_size > max_size:
|
|
50
|
+
continue
|
|
51
|
+
|
|
52
|
+
for match in rules.match(data=path.read_bytes()):
|
|
53
|
+
yield YaraMatchRecord(
|
|
54
|
+
path=path,
|
|
55
|
+
digest=path.get().hash(),
|
|
56
|
+
rule=match.rule,
|
|
57
|
+
tags=match.tags,
|
|
58
|
+
_target=self.target,
|
|
59
|
+
)
|
|
60
|
+
except FileNotFoundError:
|
|
49
61
|
continue
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
yield YaraMatchRecord(
|
|
53
|
-
path=entry,
|
|
54
|
-
digest=entry.get().hash(),
|
|
55
|
-
rule=match.rule,
|
|
56
|
-
tags=match.tags,
|
|
57
|
-
_target=self.target,
|
|
58
|
-
)
|
|
59
|
-
except FileNotFoundError:
|
|
60
|
-
continue
|
|
61
|
-
except Exception:
|
|
62
|
-
self.target.log.exception("Error scanning file: %s", entry)
|
|
62
|
+
except Exception:
|
|
63
|
+
self.target.log.exception("Error scanning file: %s", path)
|
|
@@ -6,8 +6,6 @@ import uuid
|
|
|
6
6
|
from struct import unpack
|
|
7
7
|
from typing import Iterator, Optional, Union
|
|
8
8
|
|
|
9
|
-
from flow.record.fieldtypes import posix_path
|
|
10
|
-
|
|
11
9
|
from dissect.target.filesystem import Filesystem
|
|
12
10
|
from dissect.target.helpers.fsutil import TargetPath
|
|
13
11
|
from dissect.target.helpers.record import UnixUserRecord
|
|
@@ -62,7 +60,7 @@ class UnixPlugin(OSPlugin):
|
|
|
62
60
|
uid=pwent.get(2),
|
|
63
61
|
gid=pwent.get(3),
|
|
64
62
|
gecos=pwent.get(4),
|
|
65
|
-
home=
|
|
63
|
+
home=self.target.fs.path(pwent.get(5)),
|
|
66
64
|
shell=pwent.get(6),
|
|
67
65
|
source=passwd_file,
|
|
68
66
|
_target=self.target,
|
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
import plistlib
|
|
2
2
|
from typing import Iterator
|
|
3
3
|
|
|
4
|
-
from flow.record.fieldtypes import posix_path
|
|
5
|
-
|
|
6
4
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
7
5
|
from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
|
|
8
6
|
from dissect.target.helpers.record import create_extended_descriptor
|
|
@@ -49,7 +47,7 @@ class UserPlugin(Plugin):
|
|
|
49
47
|
password_last_time=account_policy.get("passwordLastSetTime"),
|
|
50
48
|
failed_login_count=account_policy.get("failedLoginCount"),
|
|
51
49
|
failed_login_time=account_policy.get("failedLoginTimestamp"),
|
|
52
|
-
source=
|
|
50
|
+
source=self.target.fs.path(user_details.user.source),
|
|
53
51
|
_user=user_details.user,
|
|
54
52
|
_target=self.target,
|
|
55
53
|
)
|
|
@@ -12,7 +12,6 @@ from typing import Any, BinaryIO, Iterator, Optional, TextIO
|
|
|
12
12
|
from defusedxml import ElementTree
|
|
13
13
|
from dissect.hypervisor.util import vmtar
|
|
14
14
|
from dissect.sql import sqlite3
|
|
15
|
-
from flow.record.fieldtypes import path
|
|
16
15
|
|
|
17
16
|
try:
|
|
18
17
|
from dissect.hypervisor.util.envelope import Envelope, KeyStore
|
|
@@ -159,7 +158,7 @@ class ESXiPlugin(UnixPlugin):
|
|
|
159
158
|
root = ElementTree.fromstring(inv_file.read_text("utf-8"))
|
|
160
159
|
for entry in root.iter("ConfigEntry"):
|
|
161
160
|
yield VirtualMachineRecord(
|
|
162
|
-
path=path
|
|
161
|
+
path=self.target.fs.path(entry.findtext("vmxCfgPath")),
|
|
163
162
|
_target=self.target,
|
|
164
163
|
)
|
|
165
164
|
|
|
@@ -5,7 +5,6 @@ import zstandard
|
|
|
5
5
|
from dissect.cstruct import Instance, cstruct
|
|
6
6
|
from dissect.util import ts
|
|
7
7
|
from dissect.util.compression import lz4
|
|
8
|
-
from flow.record.fieldtypes import path
|
|
9
8
|
|
|
10
9
|
from dissect.target import Target
|
|
11
10
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
@@ -394,6 +393,8 @@ class JournalPlugin(Plugin):
|
|
|
394
393
|
- https://github.com/systemd/systemd/blob/9203abf79f1d05fdef9b039e7addf9fc5a27752d/man/systemd.journal-fields.xml
|
|
395
394
|
""" # noqa: E501
|
|
396
395
|
|
|
396
|
+
path_function = self.target.fs.path
|
|
397
|
+
|
|
397
398
|
for _path in self.journal_paths:
|
|
398
399
|
fh = _path.open()
|
|
399
400
|
|
|
@@ -409,7 +410,7 @@ class JournalPlugin(Plugin):
|
|
|
409
410
|
message=entry.get("message"),
|
|
410
411
|
message_id=entry.get("message_id"),
|
|
411
412
|
priority=get_optional(entry.get("priority"), int),
|
|
412
|
-
code_file=get_optional(entry.get("code_file"),
|
|
413
|
+
code_file=get_optional(entry.get("code_file"), path_function),
|
|
413
414
|
code_line=get_optional(entry.get("code_line"), int),
|
|
414
415
|
code_func=entry.get("code_func"),
|
|
415
416
|
errno=get_optional(entry.get("errno"), int),
|
|
@@ -427,12 +428,12 @@ class JournalPlugin(Plugin):
|
|
|
427
428
|
uid=get_optional(entry.get("uid"), int),
|
|
428
429
|
gid=get_optional(entry.get("gid"), int),
|
|
429
430
|
comm=entry.get("comm"),
|
|
430
|
-
exe=get_optional(entry.get("exe"),
|
|
431
|
+
exe=get_optional(entry.get("exe"), path_function),
|
|
431
432
|
cmdline=entry.get("cmdline"),
|
|
432
433
|
cap_effective=entry.get("cap_effective"),
|
|
433
434
|
audit_session=get_optional(entry.get("audit_session"), int),
|
|
434
435
|
audit_loginuid=get_optional(entry.get("audit_loginuid"), int),
|
|
435
|
-
systemd_cgroup=get_optional(entry.get("systemd_cgroup"),
|
|
436
|
+
systemd_cgroup=get_optional(entry.get("systemd_cgroup"), path_function),
|
|
436
437
|
systemd_slice=entry.get("systemd_slice"),
|
|
437
438
|
systemd_unit=entry.get("systemd_unit"),
|
|
438
439
|
systemd_user_unit=entry.get("systemd_user_unit"),
|
|
@@ -451,8 +452,8 @@ class JournalPlugin(Plugin):
|
|
|
451
452
|
kernel_device=entry.get("kernel_device"),
|
|
452
453
|
kernel_subsystem=entry.get("kernel_subsystem"),
|
|
453
454
|
udev_sysname=entry.get("udev_sysname"),
|
|
454
|
-
udev_devnode=get_optional(entry.get("udev_devnode"),
|
|
455
|
-
udev_devlink=get_optional(entry.get("udev_devlink"),
|
|
455
|
+
udev_devnode=get_optional(entry.get("udev_devnode"), path_function),
|
|
456
|
+
udev_devlink=get_optional(entry.get("udev_devlink"), path_function),
|
|
456
457
|
journal_hostname=entry.get("hostname"),
|
|
457
458
|
filepath=_path,
|
|
458
459
|
_target=self.target,
|
|
@@ -77,7 +77,8 @@ class WindowsPlugin(OSPlugin):
|
|
|
77
77
|
self.target.fs.mount(drive, volume.fs)
|
|
78
78
|
break
|
|
79
79
|
except Exception as e:
|
|
80
|
-
self.target.log.warning("Failed to map drive letters"
|
|
80
|
+
self.target.log.warning("Failed to map drive letters")
|
|
81
|
+
self.target.log.debug("", exc_info=e)
|
|
81
82
|
|
|
82
83
|
@export(property=True)
|
|
83
84
|
def hostname(self) -> Optional[str]:
|
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
from datetime import datetime, timezone
|
|
2
2
|
|
|
3
3
|
from dissect.util.ts import wintimestamp
|
|
4
|
-
from flow.record.fieldtypes import path
|
|
5
4
|
|
|
6
5
|
from dissect.target.exceptions import RegistryKeyNotFoundError, UnsupportedPluginError
|
|
7
6
|
from dissect.target.helpers import regutil
|
|
@@ -220,7 +219,7 @@ class AmcachePluginOldMixin:
|
|
|
220
219
|
created_timestamp=parse_win_timestamp(subkey_data.get("created_timestamp")),
|
|
221
220
|
mtime_regf=subkey.timestamp,
|
|
222
221
|
reference=int(subkey.name, 16),
|
|
223
|
-
path=path
|
|
222
|
+
path=self.target.fs.path(subkey_data["full_path"]) if subkey_data.get("full_path") else None,
|
|
224
223
|
language_code=subkey_data.get("language_code"),
|
|
225
224
|
digests=[None, subkey_data["sha1"][-40:] if subkey_data.get("sha1") else None, None],
|
|
226
225
|
program_id=subkey_data.get("program_id"),
|
|
@@ -265,7 +264,7 @@ class AmcachePluginOldMixin:
|
|
|
265
264
|
language_code=entry_data.get("LanguageCode"),
|
|
266
265
|
entry_type=entry_data.get("EntryType"),
|
|
267
266
|
uninstall_key=entry_data.get("UninstallKey"),
|
|
268
|
-
path=path
|
|
267
|
+
path=self.target.fs.path(file_path_entry),
|
|
269
268
|
product_code=entry_data.get("ProductCode"),
|
|
270
269
|
package_code=entry_data.get("PackageCode"),
|
|
271
270
|
msi_package_code=entry_data.get("MsiPackageCode"),
|
|
@@ -284,7 +283,7 @@ class AmcachePluginOldMixin:
|
|
|
284
283
|
language_code=entry_data.get("LanguageCode"),
|
|
285
284
|
entry_type=entry_data.get("EntryType"),
|
|
286
285
|
uninstall_key=entry_data.get("UninstallKey"),
|
|
287
|
-
path=path
|
|
286
|
+
path=self.target.fs.path(file_entry),
|
|
288
287
|
product_code=entry_data.get("ProductCode"),
|
|
289
288
|
package_code=entry_data.get("PackageCode"),
|
|
290
289
|
msi_package_code=entry_data.get("MsiPackageCode"),
|
|
@@ -416,7 +415,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
|
|
|
416
415
|
program_instance_id=entry_data.get("ProgramInstanceId"),
|
|
417
416
|
publisher=entry_data.get("Publisher"),
|
|
418
417
|
registry_key_path=entry_data.get("RegistryKeyPath"),
|
|
419
|
-
root_dir_path=path
|
|
418
|
+
root_dir_path=self.target.fs.path(entry_data.get("RootDirPath")),
|
|
420
419
|
source=entry_data.get("Source"),
|
|
421
420
|
uninstall_string=entry_data.get("UninstallString"),
|
|
422
421
|
type=entry_data.get("Type"),
|
|
@@ -467,7 +466,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
|
|
|
467
466
|
mtime_regf=entry.timestamp,
|
|
468
467
|
program_id=entry_data.get("ProgramId"),
|
|
469
468
|
digests=[None, sha1_digest, None],
|
|
470
|
-
path=path
|
|
469
|
+
path=self.target.fs.path(entry_data.get("LowerCaseLongPath")),
|
|
471
470
|
link_date=parse_win_datetime(entry_data.get("LinkDate")),
|
|
472
471
|
hash_path=entry_data.get("LongPathHash"),
|
|
473
472
|
name=entry_data.get("Name"),
|
|
@@ -492,8 +491,8 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
|
|
|
492
491
|
|
|
493
492
|
yield BinaryAppcompatRecord(
|
|
494
493
|
mtime_regf=entry.timestamp,
|
|
495
|
-
driver_name=path
|
|
496
|
-
inf=path
|
|
494
|
+
driver_name=self.target.fs.path(entry_data.get("DriverName")),
|
|
495
|
+
inf=self.target.fs.path(entry_data.get("Inf")),
|
|
497
496
|
driver_version=entry_data.get("DriverVersion"),
|
|
498
497
|
product=entry_data.get("Product"),
|
|
499
498
|
product_version=entry_data.get("ProductVersion"),
|
|
@@ -515,7 +514,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
|
|
|
515
514
|
for entry in self.read_key_subkeys(key):
|
|
516
515
|
yield ShortcutAppcompatRecord(
|
|
517
516
|
mtime_regf=entry.timestamp,
|
|
518
|
-
path=path
|
|
517
|
+
path=self.target.fs.path(entry.value("ShortCutPath").value),
|
|
519
518
|
_target=self.target,
|
|
520
519
|
)
|
|
521
520
|
|
|
@@ -637,7 +636,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
|
|
|
637
636
|
parts = line.rstrip().split("|")
|
|
638
637
|
yield AppLaunchAppcompatRecord(
|
|
639
638
|
ts=datetime.strptime(parts[-1], "%Y-%m-%d %H:%M:%S.%f").replace(tzinfo=timezone.utc),
|
|
640
|
-
path=path
|
|
639
|
+
path=self.target.fs.path(parts[0]),
|
|
641
640
|
_target=self.target,
|
|
642
641
|
)
|
|
643
642
|
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
from asn1crypto import algos, core
|
|
2
|
-
from flow.record.fieldtypes import digest
|
|
2
|
+
from flow.record.fieldtypes import digest
|
|
3
3
|
|
|
4
4
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
5
5
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -118,7 +118,7 @@ class CatrootPlugin(Plugin):
|
|
|
118
118
|
|
|
119
119
|
yield CatrootRecord(
|
|
120
120
|
digest=fdigest,
|
|
121
|
-
hint=path
|
|
121
|
+
hint=self.target.fs.path(filehint) if filehint else None,
|
|
122
122
|
source=f,
|
|
123
123
|
_target=self.target,
|
|
124
124
|
)
|
|
@@ -2,7 +2,6 @@ from datetime import datetime
|
|
|
2
2
|
from typing import Optional
|
|
3
3
|
|
|
4
4
|
from dissect.util.ts import from_unix
|
|
5
|
-
from flow.record.fieldtypes import path
|
|
6
5
|
|
|
7
6
|
from dissect.target.exceptions import RegistryError, UnsupportedPluginError
|
|
8
7
|
from dissect.target.helpers.descriptor_extensions import (
|
|
@@ -250,7 +249,7 @@ class GenericPlugin(Plugin):
|
|
|
250
249
|
value = r.value(name)
|
|
251
250
|
yield AppInitRecord(
|
|
252
251
|
ts=r.ts,
|
|
253
|
-
path=path
|
|
252
|
+
path=self.target.fs.path(value.value),
|
|
254
253
|
_target=self.target,
|
|
255
254
|
_user=user,
|
|
256
255
|
_key=r,
|
|
@@ -279,7 +278,7 @@ class GenericPlugin(Plugin):
|
|
|
279
278
|
for value in r.values():
|
|
280
279
|
yield KnownDllRecord(
|
|
281
280
|
ts=r.ts,
|
|
282
|
-
path=path
|
|
281
|
+
path=self.target.fs.path(value.value),
|
|
283
282
|
_target=self.target,
|
|
284
283
|
_user=user,
|
|
285
284
|
_key=r,
|
|
@@ -325,7 +324,7 @@ class GenericPlugin(Plugin):
|
|
|
325
324
|
|
|
326
325
|
yield SessionManagerRecord(
|
|
327
326
|
ts=r.ts,
|
|
328
|
-
path=path
|
|
327
|
+
path=self.target.fs.path(d),
|
|
329
328
|
_target=self.target,
|
|
330
329
|
_user=user,
|
|
331
330
|
_key=r,
|
|
@@ -333,7 +332,7 @@ class GenericPlugin(Plugin):
|
|
|
333
332
|
else:
|
|
334
333
|
yield SessionManagerRecord(
|
|
335
334
|
ts=r.ts,
|
|
336
|
-
path=path
|
|
335
|
+
path=self.target.fs.path(data.split(" ")[0]),
|
|
337
336
|
_target=self.target,
|
|
338
337
|
_user=user,
|
|
339
338
|
_key=r,
|
|
@@ -427,7 +426,7 @@ class GenericPlugin(Plugin):
|
|
|
427
426
|
value = r.value(name)
|
|
428
427
|
yield CommandProcAutoRunRecord(
|
|
429
428
|
ts=r.ts,
|
|
430
|
-
path=path
|
|
429
|
+
path=self.target.fs.path(value.value),
|
|
431
430
|
_target=self.target,
|
|
432
431
|
_user=user,
|
|
433
432
|
_key=r,
|
|
@@ -453,7 +452,7 @@ class GenericPlugin(Plugin):
|
|
|
453
452
|
value = r.value("AlternateShell")
|
|
454
453
|
yield AlternateShellRecord(
|
|
455
454
|
ts=r.ts,
|
|
456
|
-
path=path
|
|
455
|
+
path=self.target.fs.path(value.value),
|
|
457
456
|
_target=self.target,
|
|
458
457
|
_user=user,
|
|
459
458
|
_key=r,
|
|
@@ -477,7 +476,7 @@ class GenericPlugin(Plugin):
|
|
|
477
476
|
|
|
478
477
|
yield BootShellRecord(
|
|
479
478
|
ts=r.ts,
|
|
480
|
-
path=path
|
|
479
|
+
path=self.target.fs.path(value.value),
|
|
481
480
|
_target=self.target,
|
|
482
481
|
_user=user,
|
|
483
482
|
_key=r,
|
|
@@ -500,7 +499,7 @@ class GenericPlugin(Plugin):
|
|
|
500
499
|
user = self.target.registry.get_user(r)
|
|
501
500
|
try:
|
|
502
501
|
value = r.value("PendingFileRenameOperations")
|
|
503
|
-
paths = map(path
|
|
502
|
+
paths = map(self.target.fs.path, value.value)
|
|
504
503
|
except RegistryError:
|
|
505
504
|
continue
|
|
506
505
|
|
|
@@ -528,7 +527,7 @@ class GenericPlugin(Plugin):
|
|
|
528
527
|
for v in r.values():
|
|
529
528
|
yield WinRarRecord(
|
|
530
529
|
ts=r.ts,
|
|
531
|
-
path=path
|
|
530
|
+
path=self.target.fs.path(v.value),
|
|
532
531
|
_target=self.target,
|
|
533
532
|
_user=user,
|
|
534
533
|
_key=r,
|
|
@@ -552,7 +551,7 @@ class GenericPlugin(Plugin):
|
|
|
552
551
|
for s in r.subkeys():
|
|
553
552
|
yield WinSockNamespaceProviderRecord(
|
|
554
553
|
ts=r.ts,
|
|
555
|
-
librarypath=path
|
|
554
|
+
librarypath=self.target.fs.path(s.value("LibraryPath").value),
|
|
556
555
|
displaystring=s.value("DisplayString").value,
|
|
557
556
|
providerid=s.value("ProviderID").value,
|
|
558
557
|
enabled=s.value("Enabled").value,
|
|
@@ -2,7 +2,6 @@ from typing import Iterator, Optional
|
|
|
2
2
|
|
|
3
3
|
from dissect.shellitem.lnk import Lnk
|
|
4
4
|
from dissect.util import ts
|
|
5
|
-
from flow.record.fieldtypes import path
|
|
6
5
|
|
|
7
6
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
8
7
|
from dissect.target.helpers.fsutil import TargetPath
|
|
@@ -88,17 +87,17 @@ class LnkPlugin(Plugin):
|
|
|
88
87
|
lnk_ctime = ts.from_unix(entry.stat().st_ctime)
|
|
89
88
|
|
|
90
89
|
lnk_relativepath = (
|
|
91
|
-
path
|
|
90
|
+
self.target.fs.path(lnk_file.stringdata.relative_path.string)
|
|
92
91
|
if lnk_file.flag("has_relative_path")
|
|
93
92
|
else None
|
|
94
93
|
)
|
|
95
94
|
lnk_workdir = (
|
|
96
|
-
path
|
|
95
|
+
self.target.fs.path(lnk_file.stringdata.working_dir.string)
|
|
97
96
|
if lnk_file.flag("has_working_dir")
|
|
98
97
|
else None
|
|
99
98
|
)
|
|
100
99
|
lnk_iconlocation = (
|
|
101
|
-
path
|
|
100
|
+
self.target.fs.path(lnk_file.stringdata.icon_location.string)
|
|
102
101
|
if lnk_file.flag("has_icon_location")
|
|
103
102
|
else None
|
|
104
103
|
)
|
|
@@ -115,9 +114,9 @@ class LnkPlugin(Plugin):
|
|
|
115
114
|
)
|
|
116
115
|
|
|
117
116
|
if local_base_path and common_path_suffix:
|
|
118
|
-
lnk_full_path = path
|
|
117
|
+
lnk_full_path = self.target.fs.path(local_base_path + common_path_suffix)
|
|
119
118
|
elif local_base_path and not common_path_suffix:
|
|
120
|
-
lnk_full_path = path
|
|
119
|
+
lnk_full_path = self.target.fs.path(local_base_path)
|
|
121
120
|
else:
|
|
122
121
|
lnk_full_path = None
|
|
123
122
|
|
|
@@ -4,8 +4,6 @@ import re
|
|
|
4
4
|
from datetime import datetime
|
|
5
5
|
from typing import TYPE_CHECKING, Iterator, Union
|
|
6
6
|
|
|
7
|
-
from flow.record.fieldtypes import path
|
|
8
|
-
|
|
9
7
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
10
8
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
11
9
|
from dissect.target.plugin import Plugin, export
|
|
@@ -78,9 +76,9 @@ def create_record(
|
|
|
78
76
|
modified=_to_log_timestamp(install_properties.get("modified")),
|
|
79
77
|
access=_to_log_timestamp(install_properties.get("lastaccessed")),
|
|
80
78
|
link_date=_to_log_timestamp(install_properties.get("linkdate")),
|
|
81
|
-
path=path
|
|
82
|
-
filename=path
|
|
83
|
-
create=path
|
|
79
|
+
path=target.fs.path(install_properties.get("path")),
|
|
80
|
+
filename=target.fs.path(filename),
|
|
81
|
+
create=target.fs.path(create),
|
|
84
82
|
size_of_image=install_properties.get("sizeofimage"),
|
|
85
83
|
file_description=install_properties.get("filedescription"),
|
|
86
84
|
size=install_properties.get("size"),
|
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
import datetime
|
|
2
2
|
import re
|
|
3
3
|
|
|
4
|
-
from flow.record.fieldtypes import path
|
|
5
|
-
|
|
6
4
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
7
5
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
8
6
|
from dissect.target.plugin import Plugin, export
|
|
@@ -70,7 +68,7 @@ class PfroPlugin(Plugin):
|
|
|
70
68
|
|
|
71
69
|
yield PfroRecord(
|
|
72
70
|
ts=datetime.datetime.strptime(date, "%m/%d/%Y %H:%M:%S"),
|
|
73
|
-
path=path
|
|
71
|
+
path=self.target.fs.path(file_path),
|
|
74
72
|
operation=operation,
|
|
75
73
|
_target=self.target,
|
|
76
74
|
)
|
|
@@ -3,7 +3,6 @@ from io import BytesIO
|
|
|
3
3
|
from dissect import cstruct
|
|
4
4
|
from dissect.util import lzxpress_huffman
|
|
5
5
|
from dissect.util.ts import wintimestamp
|
|
6
|
-
from flow.record.fieldtypes import path
|
|
7
6
|
|
|
8
7
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
9
8
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -212,7 +211,7 @@ class Prefetch:
|
|
|
212
211
|
self.fn.filename_strings_offset + entry.filename_string_offset,
|
|
213
212
|
entry.filename_string_number_of_characters,
|
|
214
213
|
)
|
|
215
|
-
metrics.append(
|
|
214
|
+
metrics.append(filename.decode("utf-16-le"))
|
|
216
215
|
return metrics
|
|
217
216
|
|
|
218
217
|
def read_filename(self, off, size):
|
|
@@ -290,15 +289,15 @@ class PrefetchPlugin(Plugin):
|
|
|
290
289
|
self.target.log.warning("Failed to parse prefetch file: %s", entry, exc_info=e)
|
|
291
290
|
continue
|
|
292
291
|
|
|
293
|
-
filename = path
|
|
294
|
-
entry_name = path
|
|
292
|
+
filename = self.target.fs.path(scca.header.name.decode("utf-16-le", errors="ignore").split("\x00")[0])
|
|
293
|
+
entry_name = self.target.fs.path(entry.name)
|
|
295
294
|
|
|
296
295
|
if grouped:
|
|
297
296
|
yield GroupedPrefetchRecord(
|
|
298
297
|
ts=scca.latest_timestamp,
|
|
299
298
|
filename=filename,
|
|
300
299
|
prefetch=entry_name,
|
|
301
|
-
linkedfiles=list(map(path
|
|
300
|
+
linkedfiles=list(map(self.target.fs.path, scca.metrics)),
|
|
302
301
|
runcount=scca.fn.run_count,
|
|
303
302
|
previousruns=scca.previous_timestamps,
|
|
304
303
|
_target=self.target,
|
|
@@ -311,7 +310,7 @@ class PrefetchPlugin(Plugin):
|
|
|
311
310
|
ts=date,
|
|
312
311
|
filename=filename,
|
|
313
312
|
prefetch=entry_name,
|
|
314
|
-
linkedfile=path
|
|
313
|
+
linkedfile=self.target.fs.path(linked_file),
|
|
315
314
|
runcount=scca.fn.run_count,
|
|
316
315
|
_target=self.target,
|
|
317
316
|
)
|
|
@@ -2,7 +2,6 @@ from typing import Generator
|
|
|
2
2
|
|
|
3
3
|
from dissect import cstruct
|
|
4
4
|
from dissect.util.ts import wintimestamp
|
|
5
|
-
from flow.record.fieldtypes import path
|
|
6
5
|
|
|
7
6
|
from dissect.target import Target
|
|
8
7
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
@@ -115,10 +114,10 @@ class RecyclebinPlugin(Plugin):
|
|
|
115
114
|
|
|
116
115
|
return RecycleBinRecord(
|
|
117
116
|
ts=wintimestamp(entry.timestamp),
|
|
118
|
-
path=path
|
|
119
|
-
source=path
|
|
117
|
+
path=self.target.fs.path(entry.filename.rstrip("\x00")),
|
|
118
|
+
source=self.target.fs.path(source_path),
|
|
120
119
|
filesize=entry.file_size,
|
|
121
|
-
deleted_path=path
|
|
120
|
+
deleted_path=self.target.fs.path(deleted_path),
|
|
122
121
|
_target=self.target,
|
|
123
122
|
_user=user,
|
|
124
123
|
)
|
|
@@ -1,5 +1,3 @@
|
|
|
1
|
-
from flow.record.fieldtypes import path
|
|
2
|
-
|
|
3
1
|
from dissect.target.exceptions import RegistryError, UnsupportedPluginError
|
|
4
2
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
5
3
|
from dissect.target.plugin import Plugin, export
|
|
@@ -66,7 +64,7 @@ class SevenZipPlugin(Plugin):
|
|
|
66
64
|
|
|
67
65
|
yield record(
|
|
68
66
|
ts=subkey.ts,
|
|
69
|
-
path=path
|
|
67
|
+
path=self.target.fs.path(file_path),
|
|
70
68
|
_target=self.target,
|
|
71
69
|
)
|
|
72
70
|
except RegistryError:
|
|
@@ -90,7 +88,7 @@ class SevenZipPlugin(Plugin):
|
|
|
90
88
|
value = subkey.value("PanelPath0").value
|
|
91
89
|
yield PanelPathRecord(
|
|
92
90
|
ts=subkey.ts,
|
|
93
|
-
path=path
|
|
91
|
+
path=self.target.fs.path(value),
|
|
94
92
|
_target=self.target,
|
|
95
93
|
)
|
|
96
94
|
except RegistryError:
|
|
@@ -1,6 +1,5 @@
|
|
|
1
1
|
from dissect.cstruct import cstruct
|
|
2
2
|
from dissect.util.ts import wintimestamp
|
|
3
|
-
from flow.record.fieldtypes import path
|
|
4
3
|
|
|
5
4
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
6
5
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -57,6 +56,6 @@ class BamDamPlugin(Plugin):
|
|
|
57
56
|
data = c_bam.entry(entry.value)
|
|
58
57
|
yield BamDamRecord(
|
|
59
58
|
ts=wintimestamp(data.ts),
|
|
60
|
-
path=path
|
|
59
|
+
path=self.target.fs.path(entry.name),
|
|
61
60
|
_target=self.target,
|
|
62
61
|
)
|
|
@@ -11,7 +11,6 @@ from io import BytesIO
|
|
|
11
11
|
from dissect.cstruct import cstruct
|
|
12
12
|
from dissect.util.compression import lznt1
|
|
13
13
|
from dissect.util.ts import wintimestamp
|
|
14
|
-
from flow.record.fieldtypes import path
|
|
15
14
|
|
|
16
15
|
from dissect.target.exceptions import RegistryValueNotFoundError, UnsupportedPluginError
|
|
17
16
|
from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
|
|
@@ -735,7 +734,7 @@ class CITPlugin(Plugin):
|
|
|
735
734
|
start_time=local_wintimestamp(self.target, cit.header.StartTimeLocal),
|
|
736
735
|
current_time=local_wintimestamp(self.target, cit.header.CurrentTimeLocal),
|
|
737
736
|
aggregation_period_in_s=cit.header.AggregationPeriodInS,
|
|
738
|
-
path=path
|
|
737
|
+
path=self.target.fs.path(entry.file_path),
|
|
739
738
|
command_line=entry.command_line,
|
|
740
739
|
pe_timedatestamp=program_data.PeTimeDateStamp,
|
|
741
740
|
pe_checksum=program_data.PeCheckSum,
|
|
@@ -895,7 +894,7 @@ class CITPlugin(Plugin):
|
|
|
895
894
|
yield CITTelemetryRecord(
|
|
896
895
|
regf_mtime=version_key.ts,
|
|
897
896
|
version=version_key.name,
|
|
898
|
-
path=path
|
|
897
|
+
path=self.target.fs.path(value.name),
|
|
899
898
|
value=str(c_cit.TELEMETRY_ANSWERS(value.value)).split(".")[1],
|
|
900
899
|
_target=self.target,
|
|
901
900
|
)
|
|
@@ -941,8 +940,8 @@ class CITPlugin(Plugin):
|
|
|
941
940
|
yield CITModuleRecord(
|
|
942
941
|
last_loaded=wintimestamp(value.value),
|
|
943
942
|
regf_mtime=monitored_dll.ts,
|
|
944
|
-
tracked_module=path
|
|
945
|
-
executable=path
|
|
943
|
+
tracked_module=self.target.fs.path(monitored_dll.name),
|
|
944
|
+
executable=self.target.fs.path(value.name),
|
|
946
945
|
# These are actually specific for the tracked module, but just include them in every record
|
|
947
946
|
overflow_quota=overflow_quota,
|
|
948
947
|
overflow_value=overflow_value,
|
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
from typing import Generator
|
|
2
2
|
|
|
3
|
-
from flow.record.fieldtypes import path
|
|
4
|
-
|
|
5
3
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
6
4
|
from dissect.target.helpers.descriptor_extensions import (
|
|
7
5
|
RegistryRecordDescriptorExtension,
|
|
@@ -84,7 +82,7 @@ class MuiCachePlugin(Plugin):
|
|
|
84
82
|
index=index,
|
|
85
83
|
name=name,
|
|
86
84
|
value=entry.value,
|
|
87
|
-
path=path
|
|
85
|
+
path=self.target.fs.path(entry_path),
|
|
88
86
|
_target=self.target,
|
|
89
87
|
_key=key,
|
|
90
88
|
_user=user,
|
|
@@ -1,5 +1,4 @@
|
|
|
1
1
|
from dissect import cstruct
|
|
2
|
-
from flow.record.fieldtypes import path
|
|
3
2
|
|
|
4
3
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
5
4
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -59,7 +58,7 @@ class RecentFileCachePlugin(Plugin):
|
|
|
59
58
|
entry.path = entry.path.rstrip("\x00")
|
|
60
59
|
|
|
61
60
|
yield RecentFileCacheRecord(
|
|
62
|
-
path=path
|
|
61
|
+
path=self.target.fs.path(entry.path),
|
|
63
62
|
_target=self.target,
|
|
64
63
|
)
|
|
65
64
|
except EOFError:
|
|
@@ -6,7 +6,6 @@ from typing import Callable, Generator, Optional, Tuple, Union
|
|
|
6
6
|
|
|
7
7
|
from dissect.cstruct import Structure, cstruct
|
|
8
8
|
from dissect.util.ts import wintimestamp
|
|
9
|
-
from flow.record.fieldtypes import path
|
|
10
9
|
|
|
11
10
|
from dissect.target.exceptions import Error, RegistryError, UnsupportedPluginError
|
|
12
11
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -358,6 +357,6 @@ class ShimcachePlugin(Plugin):
|
|
|
358
357
|
last_modified=ts,
|
|
359
358
|
name=name,
|
|
360
359
|
index=index,
|
|
361
|
-
path=path
|
|
360
|
+
path=self.target.fs.path(self.target.resolve(file_path)),
|
|
362
361
|
_target=self.target,
|
|
363
362
|
)
|
|
@@ -73,7 +73,7 @@ class TrustedDocumentsPlugin(Plugin):
|
|
|
73
73
|
ts=key.ts,
|
|
74
74
|
type=value.type,
|
|
75
75
|
application=application,
|
|
76
|
-
document_path=self.target.resolve(value.name),
|
|
76
|
+
document_path=self.target.fs.path(self.target.resolve(value.name)),
|
|
77
77
|
value=value.value,
|
|
78
78
|
_key=key,
|
|
79
79
|
_user=user,
|