dissect.target 3.14.dev29__py3-none-any.whl → 3.15__py3-none-any.whl

dissect/target/helpers/hashutil.py

@@ -4,9 +4,9 @@ import hashlib
 import warnings
 from typing import TYPE_CHECKING, BinaryIO, Union
 
-from flow.record import GroupedRecord, Record, RecordDescriptor, fieldtypes
+from flow.record import Record
 
-from dissect.target.exceptions import FileNotFoundError, IsADirectoryError
+from dissect.target.exceptions import FileNotFoundError
 
 if TYPE_CHECKING:
     from hashlib._hashlib import HASH
@@ -15,10 +15,6 @@ if TYPE_CHECKING:
 
 BUFFER_SIZE = 32768
 
-RECORD_NAME = "filesystem/file/digest"
-NAME_SUFFIXES = ["_resolved", "_digest"]
-RECORD_TYPES = ["path", "digest"]
-
 
 def _hash(fh: BinaryIO, ctx: Union[HASH, list[HASH]]) -> tuple[str]:
     if not isinstance(ctx, list):
@@ -58,70 +54,34 @@ def custom(fh: BinaryIO, algos: list[Union[str, HASH]]) -> tuple[str]:
     return _hash(fh, ctx)
 
 
-def hash_uri_records(target: Target, record: Record) -> Record:
-    """Hash uri paths inside the record."""
+def hash_uri(target: Target, path: str) -> tuple[str, str]:
+    """Hash the target path."""
     warnings.warn(
         (
-            "The hash_uri_records() function is deprecated, and will be removed in dissect.target 3.15. "
-            "Use hash_path_records() instead"
+            "The hash_uri() function is deprecated, and will be removed in dissect.target 3.15. "
+            "Use target.fs.hash() instead"
         ),
         DeprecationWarning,
     )
-    return hash_path_records(target, record)
-
-
-def hash_path_records(target: Target, record: Record) -> Record:
-    """Hash files from path fields inside the record."""
-
-    hash_records = []
-
-    for field_name, field_type in record._field_types.items():
-        if not issubclass(field_type, fieldtypes.path):
-            continue
-
-        path = getattr(record, field_name, None)
-        if path is None:
-            continue
-
-        try:
-            resolved_path = target.resolve(str(path))
-            path_hash = target.fs.hash(resolved_path)
-        except (FileNotFoundError, IsADirectoryError):
-            pass
-        else:
-            resolved_path = target.fs.path(resolved_path)
-            record_kwargs = dict()
-            record_def = list()
-
-            fields = [resolved_path, path_hash]
-
-            for type, name, field in zip(RECORD_TYPES, NAME_SUFFIXES, fields):
-                hashed_field_name = f"{field_name}{name}"
-                record_kwargs.update({hashed_field_name: field})
-                record_def.append((type, hashed_field_name))
 
-            _record = RecordDescriptor(RECORD_NAME, record_def)
+    if path is None:
+        raise FileNotFoundError()
 
-            hash_records.append(_record(**record_kwargs))
+    path = str(target.resolve(path))
+    return (path, target.fs.hash(path))
 
-    if not hash_records:
-        return record
 
-    return GroupedRecord(record._desc.name, [record] + hash_records)
+def hash_uri_records(target: Target, record: Record) -> Record:
+    """Hash uri paths inside the record."""
 
+    from dissect.target.helpers.record_modifier import Modifier, get_modifier_function
 
-def hash_uri(target: Target, path: str) -> tuple[str, str]:
-    """Hash the target path."""
     warnings.warn(
         (
-            "The hash_uri() function is deprecated, and will be removed in dissect.target 3.15."
-            "Use target.fs.hash() instead"
+            "The hash_uri_records() function is deprecated, and will be removed in dissect.target 3.15. "
+            "Use hash_path_records() instead"
         ),
         DeprecationWarning,
     )
-
-    if path is None:
-        raise FileNotFoundError()
-
-    path = target.resolve(path)
-    return (path, target.fs.hash(path))
+    func = get_modifier_function(Modifier.HASH)
+    return func(target, record)

dissect/target/helpers/keychain.py

@@ -19,12 +19,15 @@ class Key(NamedTuple):
     value: Union[str, bytes]
     provider: str = None
     identifier: str = None
+    is_wildcard: bool = False
 
 
 KEYCHAIN: list[Key] = []
 
 
-def register_key(key_type: KeyType, value: str, identifier: str = None, provider: str = None) -> None:
+def register_key(
+    key_type: KeyType, value: str, identifier: str = None, provider: str = None, is_wildcard: bool = False
+) -> None:
     if key_type == KeyType.RAW:
         try:
             value = bytes.fromhex(value)
@@ -32,7 +35,10 @@ def register_key(key_type: KeyType, value: str, identifier: str = None, provider
             log.warning("Failed to decode raw key as hex, ignoring: %s", value)
             return
 
-    key = Key(key_type, value, provider, identifier)
+    if key_type in (KeyType.RECOVERY_KEY, KeyType.FILE):
+        value = value.strip("\"'")
+
+    key = Key(key_type, value, provider, identifier, is_wildcard)
     KEYCHAIN.append(key)
     log.info("Registered key %s", key)
 
@@ -58,7 +64,7 @@ def parse_key_type(key_type_name: str) -> KeyType:
 
 def register_wildcard_value(value: str) -> None:
     for key_type in KeyType:
-        register_key(key_type, value)
+        register_key(key_type, value, is_wildcard=True)
 
 
 def register_keychain_file(keychain_path: Path) -> None:

dissect/target/helpers/loaderutil.py

@@ -80,4 +80,4 @@ def extract_path_info(path: Union[str, Path]) -> tuple[Path, Optional[urllib.par
     if parsed_path.scheme == "" or re.match("^[A-Za-z]$", parsed_path.scheme):
         return Path(path), None
     else:
-        return Path(parsed_path.path), parsed_path
+        return Path(parsed_path.netloc + parsed_path.path), parsed_path

dissect/target/helpers/mount.py

@@ -1,12 +1,26 @@
 import errno
 import logging
+from ctypes import c_void_p
 from functools import lru_cache
-from typing import BinaryIO, Optional
+from typing import BinaryIO, Iterator, Optional
 
-from fuse import FuseOSError, Operations
+from dissect.util.feature import Feature, feature_enabled
 
 from dissect.target.filesystem import Filesystem, FilesystemEntry
 
+HAS_FUSE3 = False
+if feature_enabled(Feature.BETA):
+    from fuse3 import FuseOSError, Operations
+    from fuse3.c_fuse import fuse_config_p, fuse_conn_info_p
+
+    HAS_FUSE3 = True
+else:
+    from fuse import FuseOSError, Operations
+
+    fuse_config_p = c_void_p
+    fuse_conn_info_p = c_void_p
+
+
 log = logging.getLogger(__name__)
 
 CACHE_SIZE = 1024 * 1024
@@ -27,15 +41,32 @@ class DissectMount(Operations):
         except Exception:
             raise FuseOSError(errno.ENOENT)
 
+    def init(self, path: str, conn: Optional[fuse_conn_info_p] = None, cfg: Optional[fuse_config_p] = None) -> None:
+        if cfg:
+            # Enables the use of inodes in getattr
+            cfg.contents.use_ino = 1
+
     def getattr(self, path: str, fh: Optional[int] = None) -> dict:
         fe = self._get(path)
 
         try:
             st = fe.lstat()
+
             return dict(
                 (key, getattr(st, key))
-                for key in ("st_atime", "st_ctime", "st_gid", "st_mode", "st_mtime", "st_nlink", "st_size", "st_uid")
+                for key in (
+                    "st_atime",
+                    "st_ctime",
+                    "st_ino",
+                    "st_gid",
+                    "st_mode",
+                    "st_mtime",
+                    "st_nlink",
+                    "st_size",
+                    "st_uid",
+                )
             )
+
         except Exception:
             raise FuseOSError(errno.EIO)
 
@@ -75,7 +106,7 @@ class DissectMount(Operations):
             log.exception("Exception in fuse::read")
             raise FuseOSError(errno.EIO)
 
-    def readdir(self, path: str, fh: int):
+    def readdir(self, path: str, fh: int, flags: int = 0) -> Iterator[str]:
         if fh not in self.dir_handles:
             raise FuseOSError(errno.EBADFD)
 
@@ -100,7 +131,19 @@ class DissectMount(Operations):
             raise FuseOSError(errno.EIO)
 
     def release(self, path: str, fh: int) -> int:
+        if file := self.file_handles.get(fh):
+            file.close()
+
         del self.file_handles[fh]
+        return 0
 
     def releasedir(self, path: str, fh: int) -> int:
         del self.dir_handles[fh]
+        return 0
+
+    if HAS_FUSE3:
+        # Define the fuse3 bindings here
+
+        def lseek(self, path: str, off: int, whence: int, fh: int) -> int:
+            if file := self.file_handles.get(fh):
+                return file.seek(off, whence)

dissect/target/helpers/polypath.py

@@ -0,0 +1,73 @@
+"""Filesystem path manipulation functions.
+
+Similar to posixpath and ntpath, but with support for alternative separators.
+"""
+
+from __future__ import annotations
+
+import posixpath
+import re
+
+re_normalize_path = re.compile(r"[/]+")
+re_normalize_sbs_path = re.compile(r"[\\/]+")
+
+
+def normalize(path: str, alt_separator: str = "") -> str:
+    if alt_separator == "\\":
+        return re_normalize_sbs_path.sub("/", path)
+    else:
+        return re_normalize_path.sub("/", path)
+
+
+def isabs(path: str, alt_separator: str = "") -> bool:
+    return posixpath.isabs(normalize(path, alt_separator=alt_separator))
+
+
+def join(*args, alt_separator: str = "") -> str:
+    return posixpath.join(*[normalize(part, alt_separator=alt_separator) for part in args])
+
+
+def split(path: str, alt_separator: str = "") -> str:
+    return posixpath.split(normalize(path, alt_separator=alt_separator))
+
+
+splitext = posixpath.splitext
+
+
+splitdrive = posixpath.splitdrive
+
+
+def splitroot(path: str, alt_separator: str = "") -> tuple[str, str]:
+    return posixpath.splitroot(normalize(path, alt_separator=alt_separator))
+
+
+def basename(path: str, alt_separator: str = "") -> str:
+    return posixpath.basename(normalize(path, alt_separator=alt_separator))
+
+
+def dirname(path: str, alt_separator: str = "") -> str:
+    return posixpath.dirname(normalize(path, alt_separator=alt_separator))
+
+
+def normpath(path: str, alt_separator: str = "") -> str:
+    return posixpath.normpath(normalize(path, alt_separator=alt_separator))
+
+
+def abspath(path: str, cwd: str = "", alt_separator: str = "") -> str:
+    cwd = cwd or "/"
+    cwd = normalize(cwd, alt_separator=alt_separator)
+    path = normalize(path, alt_separator=alt_separator)
+    if not isabs(path):
+        path = join(cwd, path)
+    return posixpath.normpath(path)
+
+
+def relpath(path: str, start: str, alt_separator: str = "") -> str:
+    return posixpath.relpath(
+        normalize(path, alt_separator=alt_separator),
+        normalize(start, alt_separator=alt_separator),
+    )
+
+
+def commonpath(paths: list[str], alt_separator: str = "") -> str:
+    return posixpath.commonpath([normalize(path, alt_separator=alt_separator) for path in paths])

dissect/target/helpers/record_modifier.py

@@ -0,0 +1,100 @@
+from functools import partial
+from typing import Callable, Iterable, Iterator
+
+from flow.record import GroupedRecord, Record, RecordDescriptor, fieldtypes
+
+from dissect.target import Target
+from dissect.target.exceptions import FilesystemError
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.hashutil import common
+from dissect.target.helpers.utils import StrEnum
+
+__all__ = ("get_modifier_function", "Modifier", "ModifierFunc")
+
+RECORD_NAME = "filesystem/file/digest"
+NAME_SUFFIXES = ["_resolved", "_digest"]
+RECORD_TYPES = ["path", "digest"]
+
+ModifierFunc = Callable[[Target, Record], GroupedRecord]
+
+
+class Modifier(StrEnum):
+    RESOLVE = "resolve"
+    HASH = "hash"
+
+
+def _create_modified_record(
+    record_name: str, field_name: str, field_info: Iterable[tuple[str, str, TargetPath]]
+) -> Record:
+    record_kwargs = dict()
+    record_def = list()
+    for type, name_suffix, data in field_info:
+        extended_field_name = f"{field_name}{name_suffix}"
+        record_kwargs.update({extended_field_name: data})
+        record_def.append((type, extended_field_name))
+
+    _record = RecordDescriptor(record_name, record_def)
+    return _record(**record_kwargs)
+
+
+def _resolve_path_records(field_name: str, resolved_path: TargetPath) -> Record:
+    """Resolve files from path fields inside the record."""
+    type_info = [("path", "_resolved", resolved_path)]
+    return _create_modified_record("filesystem/file/resolved", field_name, type_info)
+
+
+def _hash_path_records(field_name: str, resolved_path: TargetPath) -> Record:
+    """Hash files from path fields inside the record."""
+
+    with resolved_path.open() as fh:
+        path_hash = common(fh)
+
+    type_info = zip(RECORD_TYPES, NAME_SUFFIXES, [resolved_path, path_hash])
+
+    return _create_modified_record("filesystem/file/digest", field_name, type_info)
+
+
+MODIFIER_MAPPING = {
+    Modifier.RESOLVE: _resolve_path_records,
+    Modifier.HASH: _hash_path_records,
+}
+
+
+def _resolve_path_types(target: Target, record: Record) -> Iterator[tuple[str, TargetPath]]:
+    for field_name, field_type in record._field_types.items():
+        if not issubclass(field_type, fieldtypes.path):
+            continue
+
+        path = getattr(record, field_name, None)
+        if path is None:
+            continue
+
+        yield field_name, target.resolve(str(path))
+
+
+def modify_record(target: Target, record: Record, modifier_function: ModifierFunc) -> GroupedRecord:
+    additional_records = []
+
+    for field_name, resolved_path in _resolve_path_types(target, record):
+        try:
+            _record = modifier_function(field_name, resolved_path)
+        except FilesystemError:
+            pass
+        else:
+            additional_records.append(_record)
+
+    if not additional_records:
+        return record
+
+    return GroupedRecord(record._desc.name, [record] + additional_records)
+
+
+def _noop(_target: Target, record: Record):
+    return record
+
+
+def get_modifier_function(modifier_type: Modifier) -> ModifierFunc:
+    if func := MODIFIER_MAPPING.get(modifier_type):
+        return partial(modify_record, modifier_function=func)
+
+    return _noop

dissect/target/loader.py

@@ -154,7 +154,7 @@ def find_loader(
             log.debug("", exc_info=exception)
 
 
-def open(item: Union[str, Path], *args, **kwargs):
+def open(item: Union[str, Path], *args, **kwargs) -> Loader:
     """Opens a :class:`Loader` for a specific ``item``.
 
     This instantiates a :class:`Loader` for a specific ``item``.
@@ -202,4 +202,5 @@ register("phobos", "PhobosLoader")
 register("velociraptor", "VelociraptorLoader")
 register("smb", "SmbLoader")
 register("cb", "CbLoader")
+register("cyber", "CyberLoader")
 register("multiraw", "MultiRawLoader")  # Should be last

dissect/target/loaders/asdf.py

@@ -15,6 +15,8 @@ if TYPE_CHECKING:
 
 
 class AsdfLoader(Loader):
+    """Load an ASDF target."""
+
     METADATA_PREFIX = "$asdf$"
 
     def __init__(self, path: Path, **kwargs):

dissect/target/loaders/cyber.py

@@ -0,0 +1,37 @@
+from pathlib import Path
+
+from dissect.target import Target
+from dissect.target.helpers.cyber import cyber
+from dissect.target.loader import Loader
+from dissect.target.loader import open as loader_open
+from dissect.target.loaders.raw import RawLoader
+
+HEADER = r"""
+┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
+┃      _______     ______  ______ _____      ┃
+┃     / ____\ \   / /  _ \|  ____|  __ \     ┃
+┃    | |     \ \_/ /| |_) | |__  | |__) |    ┃
+┃    | |      \   / |  _ <|  __| |  _  /     ┃
+┃    | |____   | |  | |_) | |____| | \ \     ┃
+┃     \_____|  |_|  |____/|______|_|  \_\    ┃
+┃                                            ┃
+┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
+
+"""
+
+
+class CyberLoader(Loader):
+    def __init__(self, path: Path, **kwargs):
+        super().__init__(path, **kwargs)
+        self._real = loader_open(path) or RawLoader(path)
+
+    @staticmethod
+    def detect(path: Path) -> bool:
+        return False
+
+    def map(self, target: Target) -> None:
+        with cyber(mask_space=True):
+            print(HEADER)
+
+        target.props["cyber"] = True
+        return self._real.map(target)

dissect/target/loaders/log.py

@@ -1,3 +1,5 @@
+from __future__ import annotations
+
 import urllib
 from pathlib import Path
 from typing import Union
@@ -5,9 +7,19 @@ from typing import Union
 from dissect.target import Target
 from dissect.target.filesystem import VirtualFilesystem
 from dissect.target.loader import Loader
+from dissect.target.plugin import arg
 
 
+@arg("--log-hint", dest="hint", help="hint for file type")
 class LogLoader(Loader):
+    """Load separate log files without a target.
+
+    Usage:
+
+    ``target-query /evtx/* -L log -f evtx``
+
+    """
+
     LOGS_DIRS = {
         "evtx": "sysvol/windows/system32/winevt/logs",
         "evt": "sysvol/windows/system32/config",
@@ -25,13 +37,12 @@ class LogLoader(Loader):
         return False
 
     def map(self, target: Target) -> None:
-        self.target = target
         vfs = VirtualFilesystem(case_sensitive=False, alt_separator=target.fs.alt_separator)
+        target.filesystems.add(vfs)
+        target.fs.mount("/", vfs)
         for entry in self.path.parent.glob(self.path.name):
             ext = self.options.get("hint", entry.suffix.lower()).strip(".")
             if (mapping := self.LOGS_DIRS.get(ext, None)) is None:
                 continue
             mapping = str(vfs.path(mapping).joinpath(entry.name))
             vfs.map_file(mapping, str(entry))
-        target.filesystems.add(vfs)
-        target.fs = vfs

dissect/target/loaders/raw.py

@@ -6,6 +6,8 @@ from dissect.target.target import Target
 
 
 class RawLoader(Loader):
+    """Load raw container files such as disk images."""
+
     @staticmethod
     def detect(path: Path) -> bool:
         return not path.is_dir()

dissect/target/loaders/remote.py

@@ -15,6 +15,7 @@ from dissect.util.stream import AlignedStream
 from dissect.target.containers.raw import RawContainer
 from dissect.target.exceptions import LoaderError
 from dissect.target.loader import Loader
+from dissect.target.plugin import arg
 from dissect.target.target import Target
 
 log = logging.getLogger(__name__)
@@ -86,6 +87,7 @@ class RemoteStreamConnection:
             client_crt = options.get("crt")
             server_ca = options.get("ca")
             noverify = options.get("noverify")
+
             if client_key and client_crt:
                 self._context.load_cert_chain(certfile=client_crt, keyfile=client_key)
                 flag_cert_chain_loaded = True
@@ -203,7 +205,17 @@ class RemoteStreamConnection:
         return disks
 
 
+@arg("--remote-key", dest="key", help="private key")
+@arg("--remote-crt", dest="crt", help="client certificate")
+@arg("--remote-ca", dest="ca", help="certificate Authority")
+@arg("--remote-noverify", dest="noverify", help="no certificate verification")
+@arg("--remote-reconnects", dest="reconnects", help="max number of reconnects")
+@arg("--remote-shortreads", dest="shortreads", help="max limit shortreads")
+@arg("--remote-reconnectwait", dest="reconnectwait", help="max time before reconnection attempt")
+@arg("--remote-sockettimeout", dest="sockettimeout", help="socket timeout")
 class RemoteLoader(Loader):
+    """Load a remote target that runs a compatible Dissect agent."""
+
     def __init__(self, path: Union[Path, str], **kwargs):
         super().__init__(path)
         uri = kwargs.get("parsed_path")

dissect/target/loaders/tar.py

@@ -1,4 +1,5 @@
 import logging
+import re
 import tarfile
 from pathlib import Path
 from typing import Union
@@ -14,6 +15,9 @@ from dissect.target.loader import Loader
 log = logging.getLogger(__name__)
 
 
+ANON_FS_RE = re.compile(r"^fs[0-9]+$")
+
+
 class TarLoader(Loader):
     """Load tar files."""
 
@@ -63,6 +67,15 @@ class TarLoader(Loader):
                 if volume_name.lower() == "c:":
                     volume_name = "sysvol"
 
+                if volume_name == "$fs$":
+                    if len(parts) == 1:
+                        # The fs/$fs$ entry is ignored, only the directories below it are processed.
+                        continue
+                    fs_name = parts[1]
+                    if ANON_FS_RE.match(fs_name):
+                        parts.pop(0)
+                        volume_name = f"{volume_name}/{fs_name}"
+
                 if volume_name not in volumes:
                     vol = filesystem.VirtualFilesystem(case_sensitive=False)
                     vol.tar = self.tar

dissect/target/loaders/targetd.py

@@ -33,6 +33,8 @@ except Exception:
 
 
 class TargetdLoader(ProxyLoader):
+    """Load remote targets through a broker."""
+
     instance = None
 
     def __init__(self, path: Union[Path, str], **kwargs):

dissect/target/loaders/velociraptor.py

@@ -22,7 +22,8 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
     # As of Velociraptor version 0.7.0 the structure of the Velociraptor Offline Collector varies by operating system.
     # Generic.Collectors.File (Unix) uses the accessors file and auto.
     # Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors
-    # mft, ntfs, lazy_ntfs, ntfs_vss and auto.
+    # mft, ntfs, lazy_ntfs, ntfs_vss and auto. The loader only supports a collection where a single accessor is used.
+    # For Windows usage of the ntfs_vss accessor can be forced by configuring VSSAnalysisAge to be greater than 0.
 
     fs_root = path.joinpath(FILESYSTEMS_ROOT)
 
@@ -36,14 +37,22 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
 
     # Windows
     volumes = set()
+    vss_volumes = set()
     for accessor in WINDOWS_ACCESSORS:
         accessor_root = fs_root.joinpath(accessor)
         if accessor_root.exists():
             # If the accessor directory exists, assume all the subdirectories are volumes
-            volumes.update(accessor_root.iterdir())
+            for volume in accessor_root.iterdir():
+                # https://github.com/Velocidex/velociraptor/blob/87368e7cc678144592a1614bb3bbd0a0f900ded9/accessors/ntfs/vss.go#L82
+                if "HarddiskVolumeShadowCopy" in volume.name:
+                    vss_volumes.add(volume)
+                else:
+                    volumes.add(volume)
 
     if volumes:
-        return OperatingSystem.WINDOWS, list(volumes)
+        # The volumes that represent drives (C, D) are mounted first,
+        # otherwise one of the volume shadow copies could be detected as the root filesystem which results in errors.
+        return OperatingSystem.WINDOWS, list(volumes) + list(vss_volumes)
 
     return None, None
 

dissect/target/loaders/vmwarevm.py

@@ -4,6 +4,8 @@ from dissect.target.loaders.vmx import VmxLoader
 
 
 class VmwarevmLoader(VmxLoader):
+    """Load ``*.vmwarevm`` folders from VMware Fusion."""
+
     def __init__(self, path: Path, **kwargs):
         super().__init__(next(path.glob("*.vmx")))