dissect.target 3.14.dev29__py3-none-any.whl → 3.15__py3-none-any.whl

dissect/target/plugins/os/windows/log/schedlgu.py

@@ -0,0 +1,155 @@
+from __future__ import annotations
+
+import logging
+import re
+import warnings
+from dataclasses import dataclass
+from datetime import datetime
+from typing import Iterator, Optional
+
+from dissect.target import Target
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import Plugin, export
+
+warnings.simplefilter(action="ignore", category=FutureWarning)
+log = logging.getLogger(__name__)
+
+SchedLgURecord = TargetRecordDescriptor(
+    "windows/tasks/log/schedlgu",
+    [
+        ("datetime", "ts"),
+        ("string", "job"),
+        ("string", "command"),
+        ("string", "status"),
+        ("uint32", "exit_code"),
+        ("string", "version"),
+    ],
+)
+
+JOB_REGEX_PATTERN = re.compile(r"\"(.*?)\" \((.*?)\)")
+SCHEDLGU_REGEX_PATTERN = re.compile(r"\".+\n.+\n\s{4}.+\n|\".+\n.+", re.MULTILINE)
+
+
+@dataclass(order=True)
+class SchedLgU:
+    ts: datetime = None
+    job: str = None
+    status: str = None
+    command: str = None
+    exit_code: int = None
+    version: str = None
+
+    @staticmethod
+    def _sanitize_ts(ts: str) -> datetime:
+        # sometimes "at" exists before the timestamp
+        ts = ts.strip("at ")
+        try:
+            ts = datetime.strptime(ts, "%m/%d/%Y %I:%M:%S %p")
+        except ValueError:
+            ts = datetime.strptime(ts, "%d-%m-%Y %H:%M:%S")
+
+        return ts
+
+    @staticmethod
+    def _parse_job(line: str) -> tuple[str, Optional[str]]:
+        matches = JOB_REGEX_PATTERN.match(line)
+        if matches:
+            return matches.groups()
+
+        log.warning("SchedLgU failed to parse job and command from line: '%s'. Returning line.", line)
+        return line, None
+
+    @classmethod
+    def from_line(cls, line: str) -> SchedLgU:
+        """Parse a group of SchedLgU.txt lines."""
+        event = cls()
+        lines = line.splitlines()
+
+        # Events can have 2 or 3 lines as a group in total. An example of a complete task job event is:
+        # "Symantec NetDetect.job" (NDETECT.EXE)
+        #     Finished 14-9-2003 13:21:01
+        #     Result: The task completed with an exit code of (65).
+        if len(lines) == 3:
+            event.job, event.command = cls._parse_job(lines[0])
+            event.status, event.ts = lines[1].split(maxsplit=1)
+            event.exit_code = int(lines[2].split("(")[1].rstrip(")."))
+
+        # Events that have 2 lines as a group can be started task job event or the Task Scheduler Service. Examples:
+        #   "Symantec NetDetect.job" (NDETECT.EXE)
+        #        Started at 14-9-2003 13:26:00
+        elif len(lines) == 2 and ".job" in lines[0]:
+            event.job, event.command = cls._parse_job(lines[0])
+            event.status, event.ts = lines[1].split(maxsplit=1)
+
+        # Events without a task job event are the Task Scheduler Service events. Which can look like this:
+        # "Task Scheduler Service"
+        #      Exited at 14-9-2003 13:40:24
+        # OR
+        # "Task Scheduler Service"
+        # 6.0.6000.16386 (vista_rtm.061101-2205)
+        elif len(lines) == 2:
+            event.job = lines[0].strip('"')
+
+            if lines[1].startswith("\t") or lines[1].startswith(" "):
+                event.status, event.ts = lines[1].split(maxsplit=1)
+            else:
+                event.version = lines[1]
+
+        if event.ts:
+            event.ts = cls._sanitize_ts(event.ts)
+
+        return event
+
+
+class SchedLgUPlugin(Plugin):
+    """Plugin for parsing the Task Scheduler Service transaction log file (SchedLgU.txt)."""
+
+    PATHS = {
+        "sysvol/SchedLgU.txt",
+        "sysvol/windows/SchedLgU.txt",
+        "sysvol/windows/tasks/SchedLgU.txt",
+        "sysvol/winnt/tasks/SchedLgU.txt",
+    }
+
+    def __init__(self, target: Target) -> None:
+        self.target = target
+        self.paths = [self.target.fs.path(path) for path in self.PATHS if self.target.fs.path(path).exists()]
+
+    def check_compatible(self) -> None:
+        if len(self.paths) == 0:
+            raise UnsupportedPluginError("No SchedLgU.txt file found.")
+
+    @export(record=SchedLgURecord)
+    def schedlgu(self) -> Iterator[SchedLgURecord]:
+        """Return all events in the Task Scheduler Service transaction log file (SchedLgU.txt).
+
+        Older Windows systems may log ``.job`` tasks that get started remotely in the SchedLgU.txt file.
+        In addition, this log file records when the Task Scheduler service starts and stops.
+
+        Adversaries may use malicious ``.job`` files to gain persistence on a system.
+
+        Yield:
+            ts (datetime): The timestamp of the event.
+            job (str): The name of the ``.job`` file.
+            command (str): The command executed.
+            status (str): The status of the event (finished, completed, exited, stopped).
+            exit_code (int): The exit code of the event.
+            version (str): The version of the Task Scheduler service.
+        """
+
+        for path in self.paths:
+            content = path.read_text(encoding="UTF-16", errors="surrogateescape")
+
+            for match in re.findall(SCHEDLGU_REGEX_PATTERN, content):
+                event = SchedLgU.from_line(match)
+
+                yield SchedLgURecord(
+                    ts=event.ts,
+                    job=event.job,
+                    command=event.command,
+                    status=event.status,
+                    exit_code=event.exit_code,
+                    version=event.version,
+                    _target=self.target,
+                )

dissect/target/plugins/os/windows/regf/firewall.py

@@ -11,7 +11,7 @@ class FirewallPlugin(Plugin):
     """Plugin that parses firewall rules from the registry."""
 
     KEY = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules"
-    FIELD_MAP = {"app": "uri"}
+    FIELD_MAP = {"app": "path"}
     VALUE_MAP = {"active": lambda val: val == "TRUE"}
 
     def check_compatible(self) -> None:

dissect/target/plugins/os/windows/regf/shimcache.py

@@ -357,6 +357,6 @@ class ShimcachePlugin(Plugin):
                 last_modified=ts,
                 name=name,
                 index=index,
-                path=self.target.fs.path(self.target.resolve(file_path)),
+                path=self.target.resolve(file_path),
                 _target=self.target,
             )

dissect/target/plugins/os/windows/regf/trusteddocs.py

@@ -73,7 +73,7 @@ class TrustedDocumentsPlugin(Plugin):
                     ts=key.ts,
                     type=value.type,
                     application=application,
-                    document_path=self.target.fs.path(self.target.resolve(value.name)),
+                    document_path=self.target.resolve(value.name),
                     value=value.value,
                     _key=key,
                     _user=user,

dissect/target/plugins/os/windows/registry.py

@@ -329,7 +329,7 @@ class RegistryPlugin(Plugin):
     @internal
     def get_user_details(self, key: RegistryKey) -> UserDetails:
         """Return user details for the user who owns a registry hive that contains the provided key"""
-        if not key.hive or not key.hive.filepath:
+        if not key.hive or not getattr(key.hive, "filepath", None):
             return
 
         return self._hives_to_users.get(key.hive)

dissect/target/plugins/os/windows/sam.py

@@ -252,6 +252,9 @@ def rid_to_key(rid: int) -> tuple[bytes, bytes]:
 
 
 def decrypt_single_hash(rid: int, samkey: bytes, enc_hash: bytes, apwd: bytes) -> bytes:
+    if not enc_hash:
+        return b""
+
     sh = c_sam.SAM_HASH(enc_hash)
 
     if sh.revision not in [0x01, 0x02]:

dissect/target/plugins/os/windows/sru.py

@@ -1,3 +1,5 @@
+from typing import Iterator, Optional, Union
+
 from dissect.esedb.exceptions import Error
 from dissect.esedb.tools import sru
 
@@ -223,6 +225,22 @@ SdpNetworkProviderRecord = TargetRecordDescriptor(
     ],
 )
 
+SRURecord = Union[
+    NetworkDataRecord,
+    NetworkConnectivityRecord,
+    EnergyEstimatorRecord,
+    EnergyUsageRecord,
+    EnergyUsageLTRecord,
+    ApplicationRecord,
+    PushNotificationRecord,
+    ApplicationTimelineRecord,
+    VfuRecord,
+    SdpVolumeProviderRecord,
+    SdpPhysicalDiskProviderRecord,
+    SdpCpuProviderRecord,
+    SdpNetworkProviderRecord,
+]
+
 FIELD_MAPPINGS = {
     "ActiveAcTime": "active_ac_time",
     "ActiveDcTime": "active_dc_time",
@@ -322,7 +340,7 @@ FIELD_MAPPINGS = {
 }
 
 
-def transform_app_id(value):
+def transform_app_id(value: Optional[Union[bytes, str]]) -> Optional[str]:
     if value is not None:
         if isinstance(value, bytes):
             value = value.decode()
@@ -364,10 +382,11 @@ class SRUPlugin(Plugin):
         if not self._sru:
             raise UnsupportedPluginError("No SRUDB found")
 
-    def read_records(self, table_name, record_type):
+    def read_records(self, table_name: str, record_type: SRURecord) -> Iterator[SRURecord]:
         table = self._sru.get_table(table_name=table_name)
         if not table:
-            raise ValueError(f"Table not found: {table_name}")
+            self.target.log.warning("Table not found: %s", table_name)
+            return iter(())
 
         columns = [c.name for c in table.columns]
         if columns[:4] != ["AutoIncId", "TimeStamp", "AppId", "UserId"]:
@@ -392,90 +411,84 @@ class SRUPlugin(Plugin):
             )
 
     @export(record=NetworkDataRecord)
-    def network_data(self):
-        """
-        Return the contents of Windows Network Data Usage Monitor table from the SRUDB.dat file.
+    def network_data(self) -> Iterator[NetworkDataRecord]:
+        """Return the contents of Windows Network Data Usage Monitor table from the SRUDB.dat file.
 
         Gives insight into the network usage of the system.
         """
         yield from self.read_records("network_data", NetworkDataRecord)
 
     @export(record=NetworkConnectivityRecord)
-    def network_connectivity(self):
-        """
-        Return the contents of Windows Network Connectivity Usage Monitor table from the SRUDB.dat file.
+    def network_connectivity(self) -> Iterator[NetworkConnectivityRecord]:
+        """Return the contents of Windows Network Connectivity Usage Monitor table from the SRUDB.dat file.
 
         Gives insight into the network connectivity usage of the system.
         """
         yield from self.read_records("network_connectivity", NetworkConnectivityRecord)
 
     @export(record=EnergyEstimatorRecord)
-    def energy_estimator(self):
+    def energy_estimator(self) -> Iterator[EnergyEstimatorRecord]:
         """Return the contents of Energy Estimator table from the SRUDB.dat file."""
         yield from self.read_records("energy_estimator", EnergyEstimatorRecord)
 
     @export(record=EnergyUsageRecord)
-    def energy_usage(self):
-        """
-        Return the contents of Energy Usage Provider table from the SRUDB.dat file.
+    def energy_usage(self) -> Iterator[EnergyUsageRecord]:
+        """Return the contents of Energy Usage Provider table from the SRUDB.dat file.
 
         Gives insight into the energy usage of the system.
         """
         yield from self.read_records("energy_usage", EnergyUsageRecord)
 
     @export(record=EnergyUsageLTRecord)
-    def energy_usage_lt(self):
-        """
-        Return the contents of Energy Usage Provider Long Term table from the SRUDB.dat file.
+    def energy_usage_lt(self) -> Iterator[EnergyUsageLTRecord]:
+        """Return the contents of Energy Usage Provider Long Term table from the SRUDB.dat file.
 
         Gives insight into the energy usage of the system looking over the long term.
         """
         yield from self.read_records("energy_usage_lt", EnergyUsageLTRecord)
 
     @export(record=ApplicationRecord)
-    def application(self):
-        """
-        Return the contents of Application Resource Usage table from the SRUDB.dat file.
+    def application(self) -> Iterator[ApplicationRecord]:
+        """Return the contents of Application Resource Usage table from the SRUDB.dat file.
 
         Gives insights into the resource usage of applications on the system.
         """
         yield from self.read_records("application", ApplicationRecord)
 
     @export(record=PushNotificationRecord)
-    def push_notification(self):
-        """
-        Return the contents of Windows Push Notification Data table from the SRUDB.dat file.
+    def push_notification(self) -> Iterator[PushNotificationRecord]:
+        """Return the contents of Windows Push Notification Data table from the SRUDB.dat file.
 
         Gives insight into the notification usage of the system.
         """
         yield from self.read_records("push_notifications", PushNotificationRecord)
 
     @export(record=ApplicationTimelineRecord)
-    def application_timeline(self):
+    def application_timeline(self) -> Iterator[ApplicationTimelineRecord]:
         """Return the contents of App Timeline Provider table from the SRUDB.dat file."""
         yield from self.read_records("application_timeline", ApplicationTimelineRecord)
 
     @export(record=VfuRecord)
-    def vfu(self):
+    def vfu(self) -> Iterator[VfuRecord]:
         """Return the contents of vfuprov table from the SRUDB.dat file."""
         yield from self.read_records("vfu", VfuRecord)
 
     @export(record=SdpVolumeProviderRecord)
-    def sdp_volume_provider(self):
+    def sdp_volume_provider(self) -> Iterator[SdpVolumeProviderRecord]:
         """Return the contents of SDP Volume Provider table from the SRUDB.dat file."""
         yield from self.read_records("sdp_volume_provider", SdpVolumeProviderRecord)
 
     @export(record=SdpPhysicalDiskProviderRecord)
-    def sdp_physical_disk_provider(self):
+    def sdp_physical_disk_provider(self) -> Iterator[SdpPhysicalDiskProviderRecord]:
         """Return the contents of SDP Physical Disk Provider table from the SRUDB.dat file."""
         yield from self.read_records("sdp_physical_disk_provider", SdpPhysicalDiskProviderRecord)
 
     @export(record=SdpCpuProviderRecord)
-    def sdp_cpu_provider(self):
+    def sdp_cpu_provider(self) -> Iterator[SdpCpuProviderRecord]:
         """Return the contents of SDP CPU Provider table from the SRUDB.dat file."""
         yield from self.read_records("sdp_cpu_provider", SdpCpuProviderRecord)
 
     @export(record=SdpNetworkProviderRecord)
-    def sdp_network_provider(self):
+    def sdp_network_provider(self) -> Iterator[SdpNetworkProviderRecord]:
         """Return the contents of SDP Network Provider table from the SRUDB.dat file."""
         yield from self.read_records("sdp_network_provider", SdpNetworkProviderRecord)

dissect/target/plugins/os/windows/tasks.py

@@ -1,16 +1,20 @@
+from __future__ import annotations
+
+import logging
 import warnings
 from typing import Iterator, Union
 
 from flow.record import GroupedRecord
 
+from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import DynamicDescriptor, TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
 from dissect.target.plugins.os.windows.task_helpers.tasks_job import AtTask
 from dissect.target.plugins.os.windows.task_helpers.tasks_xml import ScheduledTasks
-from dissect.target.target import Target
 
 warnings.simplefilter(action="ignore", category=FutureWarning)
+log = logging.getLogger(__name__)
 
 TaskRecord = TargetRecordDescriptor(
     "filesystem/windows/task",
@@ -42,7 +46,6 @@ TaskRecord = TargetRecordDescriptor(
         ("string", "run_level"),
         ("string", "process_token_sid_type"),
         ("string", "required_privileges"),
-        ("boolean", "allow_start_on_demand"),
         ("string", "restart_on_failure_interval"),
         ("string", "restart_on_failure_count"),
         ("string", "mutiple_instances_policy"),

dissect/target/target.py

@@ -79,7 +79,7 @@ class Target:
         self._functions: dict[str, FunctionTuple] = {}
         self._loader = None
         self._os = None
-        self._os_plugin: plugin.OSPlugin = None
+        self._os_plugin: type[plugin.OSPlugin] = None
         self._child_plugins: dict[str, plugin.ChildTargetPlugin] = {}
         self._cache = dict()
         self._errors = []
@@ -225,7 +225,10 @@ class Target:
 
         loader_cls = loader.find_loader(path, parsed_path=parsed_path)
         if loader_cls:
-            loader_instance = loader_cls(path, parsed_path=parsed_path)
+            try:
+                loader_instance = loader_cls(path, parsed_path=parsed_path)
+            except Exception as e:
+                raise TargetError(f"Failed to initiate {loader_cls.__name__} for target {path}: {e}", cause=e)
             return cls._load(path, loader_instance)
         return cls.open_raw(path)
 
@@ -281,7 +284,8 @@ class Target:
                     try:
                         ldr = loader_cls(sub_entry, parsed_path=parsed_path)
                     except Exception as e:
-                        getlogger(sub_entry).error("Failed to initiate loader", exc_info=e)
+                        getlogger(sub_entry).error("Failed to initiate loader: %s", e)
+                        getlogger(sub_entry).debug("", exc_info=e)
                         continue
 
                     try:

dissect/target/tools/dd.py

@@ -9,6 +9,7 @@ import sys
 from dissect.util.stream import RangeStream
 
 from dissect.target import Target
+from dissect.target.exceptions import TargetError
 from dissect.target.tools.utils import (
     catch_sigpipe,
     configure_generic_arguments,
@@ -39,7 +40,12 @@ def main():
 
     process_generic_arguments(args)
 
-    t = Target.open(args.target)
+    try:
+        t = Target.open(args.target)
+    except TargetError as e:
+        log.error(e)
+        log.debug("", exc_info=e)
+        parser.exit(1)
 
     if len(t.disks) > 1:
         parser.exit("Target has more than one disk")

dissect/target/tools/fs.py

@@ -10,6 +10,7 @@ import shutil
 import sys
 
 from dissect.target import Target
+from dissect.target.exceptions import TargetError
 from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.tools.utils import (
     catch_sigpipe,
@@ -113,7 +114,13 @@ def main():
 
     process_generic_arguments(args)
 
-    target = Target.open(args.target)
+    try:
+        target = Target.open(args.target)
+    except TargetError as e:
+        log.error(e)
+        log.debug("", exc_info=e)
+        parser.exit(1)
+
     path = target.fs.path(args.path)
 
     if not path.exists():

dissect/target/tools/info.py

@@ -8,6 +8,7 @@ from pathlib import Path
 from typing import Union
 
 from dissect.target import Target
+from dissect.target.exceptions import TargetError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.tools.query import record_output
 from dissect.target.tools.utils import (
@@ -72,22 +73,27 @@ def main():
             targets = targets[:-1]
         args.targets = targets
 
-    for i, target in enumerate(Target.open_all(args.targets)):
-        try:
-            if args.jsonlines:
-                print(json.dumps(get_target_info(target), default=str))
-            elif args.json:
-                print(json.dumps(get_target_info(target), indent=4, default=str))
-            elif args.record:
-                rs = record_output(args.strings)
-                rs.write(InfoRecord(**get_target_info(target), _target=target))
-            else:
-                if i > 0:
-                    print("-" * 70)
-                print_target_info(target)
-        except Exception as e:
-            target.log.error("Exception in retrieving information for target: `%s`. Use `-vv` for details.", target)
-            target.log.debug("", exc_info=e)
+    try:
+        for i, target in enumerate(Target.open_all(args.targets)):
+            try:
+                if args.jsonlines:
+                    print(json.dumps(get_target_info(target), default=str))
+                elif args.json:
+                    print(json.dumps(get_target_info(target), indent=4, default=str))
+                elif args.record:
+                    rs = record_output(args.strings)
+                    rs.write(InfoRecord(**get_target_info(target), _target=target))
+                else:
+                    if i > 0:
+                        print("-" * 70)
+                    print_target_info(target)
+            except Exception as e:
+                target.log.error("Exception in retrieving information for target: `%s`. Use `-vv` for details.", target)
+                target.log.debug("", exc_info=e)
+    except TargetError as e:
+        log.error(e)
+        log.debug("", exc_info=e)
+        parser.exit(1)
 
 
 def get_target_info(target: Target) -> dict[str, Union[str, list[str]]]:

dissect/target/tools/mount.py

@@ -2,7 +2,10 @@ import argparse
 import logging
 from typing import Union
 
+from dissect.util.feature import Feature, feature_enabled
+
 from dissect.target import Target, filesystem
+from dissect.target.exceptions import TargetError
 from dissect.target.helpers.utils import parse_options_string
 from dissect.target.tools.utils import (
     catch_sigpipe,
@@ -10,8 +13,23 @@ from dissect.target.tools.utils import (
     process_generic_arguments,
 )
 
+# Setting logging level to info for startup information.
+logging.basicConfig(level=logging.INFO)
+
 try:
-    from fuse import FUSE
+    if feature_enabled(Feature.BETA):
+        from fuse3 import FUSE3 as FUSE
+        from fuse3 import util
+
+        FUSE_VERSION = "3"
+        FUSE_LIB_PATH = util.libfuse._name
+    else:
+        from fuse import FUSE, _libfuse
+
+        FUSE_VERSION = "2"
+        FUSE_LIB_PATH = _libfuse._name
+
+    logging.info("Using fuse%s library: %s", FUSE_VERSION, FUSE_LIB_PATH)
 
     from dissect.target.helpers.mount import DissectMount
 
@@ -19,6 +37,7 @@ try:
 except Exception:
     HAS_FUSE = False
 
+
 log = logging.getLogger(__name__)
 logging.lastResort = None
 logging.raiseExceptions = False
@@ -44,7 +63,13 @@ def main():
     if not HAS_FUSE:
         parser.exit("fusepy is not installed: pip install fusepy")
 
-    t = Target.open(args.target)
+    try:
+        t = Target.open(args.target)
+    except TargetError as e:
+        log.error(e)
+        log.debug("", exc_info=e)
+        parser.exit(1)
+
     vfs = filesystem.VirtualFilesystem()
     vfs.mount("fs", t.fs)
 
@@ -85,7 +110,7 @@ def main():
 
 
 def _format_options(options: dict[str, Union[str, bool]]) -> str:
-    return ",".join([key if value is True else f"{key}={value}" for key, value in options.items()])
+    return ",".join(key if value is True else f"{key}={value}" for key, value in options.items())
 
 
 if __name__ == "__main__":