dissect.target 3.16.dev29__py3-none-any.whl → 3.16.dev31__py3-none-any.whl

dissect/target/plugins/apps/webserver/iis.py

@@ -60,6 +60,8 @@ class IISLogsPlugin(WebserverPlugin):
         super().__init__(target)
         self.config = self.target.fs.path(self.APPLICATION_HOST_CONFIG)
 
+        self._create_extended_descriptor = lru_cache(4096)(self._create_extended_descriptor)
+
     def check_compatible(self) -> None:
         if not self.config.exists() and not self.target.fs.path("sysvol/files").exists():
             raise UnsupportedPluginError("No ApplicationHost config file found")
@@ -157,7 +159,6 @@ class IISLogsPlugin(WebserverPlugin):
             row = replace_dash_with_none(row)
             yield BasicRecordDescriptor(**row)
 
-    @lru_cache(maxsize=4096)
     def _create_extended_descriptor(self, extra_fields: tuple[tuple[str, str]]) -> TargetRecordDescriptor:
         return TargetRecordDescriptor(LOG_RECORD_NAME, BASIC_RECORD_FIELDS + list(extra_fields))
 

dissect/target/plugins/os/unix/esxi/_os.py

@@ -4,6 +4,7 @@ import gzip
 import json
 import lzma
 import struct
+import subprocess
 from configparser import ConfigParser
 from configparser import Error as ConfigParserError
 from io import BytesIO
@@ -13,6 +14,8 @@ from defusedxml import ElementTree
 from dissect.hypervisor.util import vmtar
 from dissect.sql import sqlite3
 
+from dissect.target.helpers.fsutil import TargetPath
+
 try:
     from dissect.hypervisor.util.envelope import Envelope, KeyStore
 
@@ -217,23 +220,72 @@ def _mount_local(target: Target, local_layer: VirtualFilesystem):
         local_fs = tar.TarFilesystem(local_tgz.open())
     else:
         local_tgz_ve = target.fs.path("local.tgz.ve")
-        encryption_info = target.fs.path("encryption.info")
+        # In the case "encryption.info" does not exist, but ".#encryption.info" does
+        encryption_info = next(target.fs.path("/").glob("*encryption.info"), None)
         if not local_tgz_ve.exists() or not encryption_info.exists():
             raise ValueError("Unable to find valid configuration archive")
 
-        if HAS_ENVELOPE:
-            target.log.info("local.tgz is encrypted, attempting to decrypt")
-            envelope = Envelope(local_tgz_ve.open())
-            keystore = KeyStore.from_text(encryption_info.read_text("utf-8"))
-            local_tgz = BytesIO(envelope.decrypt(keystore.key, aad=b"ESXConfiguration"))
-            local_fs = tar.TarFilesystem(local_tgz)
-        else:
-            target.log.warning("local.tgz is encrypted but no crypto module available!")
+        local_fs = _create_local_fs(target, local_tgz_ve, encryption_info)
 
     if local_fs:
         local_layer.mount("/", local_fs)
 
 
+def _decrypt_envelope(local_tgz_ve: TargetPath, encryption_info: TargetPath) -> BinaryIO:
+    """Decrypt ``local.tgz.ve`` ourselves with hard-coded keys."""
+    envelope = Envelope(local_tgz_ve.open())
+    keystore = KeyStore.from_text(encryption_info.read_text("utf-8"))
+    local_tgz = BytesIO(envelope.decrypt(keystore.key, aad=b"ESXConfiguration"))
+    return local_tgz
+
+
+def _decrypt_crypto_util(local_tgz_ve: TargetPath) -> Optional[BytesIO]:
+    """Decrypt ``local.tgz.ve`` using ESXi ``crypto-util``.
+
+    We write to stdout, but this results in ``crypto-util`` exiting with a non-zero return code
+    and stderr containing an I/O error message. The file does get properly decrypted, so we return
+    ``None`` if there are no bytes in stdout which would indicate it actually failed.
+    """
+
+    result = subprocess.run(
+        ["crypto-util", "envelope", "extract", "--aad", "ESXConfiguration", f"/{local_tgz_ve.as_posix()}", "-"],
+        capture_output=True,
+    )
+
+    if len(result.stdout) == 0:
+        return None
+
+    return BytesIO(result.stdout)
+
+
+def _create_local_fs(
+    target: Target, local_tgz_ve: TargetPath, encryption_info: TargetPath
+) -> Optional[tar.TarFilesystem]:
+    local_tgz = None
+
+    if HAS_ENVELOPE:
+        try:
+            local_tgz = _decrypt_envelope(local_tgz_ve, encryption_info)
+        except NotImplementedError:
+            target.log.debug("Failed to decrypt %s, likely TPM encrypted", local_tgz_ve)
+    else:
+        target.log.debug("Skipping static decryption because of missing crypto module")
+
+    if not local_tgz and target.name == "local":
+        target.log.info(
+            "local.tgz is encrypted but static decryption failed, attempting dynamic decryption using crypto-util"
+        )
+        local_tgz = _decrypt_crypto_util(local_tgz_ve)
+
+        if local_tgz is None:
+            target.log.warning("Dynamic decryption of %s failed.", local_tgz_ve)
+    else:
+        target.log.warning("local.tgz is encrypted but static decryption failed and no dynamic decryption available!")
+
+    if local_tgz:
+        return tar.TarFilesystem(local_tgz)
+
+
 def _mount_filesystems(target: Target, sysvol: Filesystem, cfg: dict[str, str]):
     version = cfg["build"]
 

dissect/target/plugins/os/windows/log/etl.py

@@ -13,6 +13,9 @@ from dissect.target.plugins.os.windows.datetime import parse_tzi
 class EtlRecordBuilder:
     RECORD_NAME = "filesystem/windows/etl"
 
+    def __init__(self):
+        self._create_event_descriptor = lru_cache(4096)(self._create_event_descriptor)
+
     def _build_record(self, etl_event: Event, etl_path: Path, target: Target):
         """Builds an ETL event record"""
 
@@ -51,7 +54,6 @@ class EtlRecordBuilder:
         desc = self._create_event_descriptor(tuple(record_fields))
         return desc(**record_values)
 
-    @lru_cache(maxsize=4096)
     def _create_event_descriptor(self, record_fields):
         return TargetRecordDescriptor(self.RECORD_NAME, record_fields)
 

dissect/target/plugins/os/windows/log/evtx.py

@@ -29,6 +29,7 @@ class EvtxPlugin(WindowsEventlogsMixin, plugin.Plugin):
 
     def __init__(self, target):
         super().__init__(target)
+        self._create_event_descriptor = lru_cache(4096)(self._create_event_descriptor)
 
     @plugin.arg("--logs-dir", help="logs directory to scan")
     @plugin.arg("--log-file-glob", default=EVTX_GLOB, help="glob pattern to match a log file name")
@@ -145,7 +146,6 @@ class EvtxPlugin(WindowsEventlogsMixin, plugin.Plugin):
         desc = self._create_event_descriptor(tuple(record_fields))
         return desc(**record_values)
 
-    @lru_cache(maxsize=4096)
     def _create_event_descriptor(self, record_fields) -> TargetRecordDescriptor:
         return TargetRecordDescriptor(self.RECORD_NAME, record_fields)
 

dissect/target/plugins/os/windows/registry.py

@@ -72,6 +72,7 @@ class RegistryPlugin(Plugin):
 
     def __init__(self, target: Target) -> None:
         super().__init__(target)
+
         self._root = VirtualHive()
         self._hive_collections = defaultdict(HiveCollection)
         self._hive_paths = []
@@ -83,6 +84,8 @@ class RegistryPlugin(Plugin):
         self._users_loaded = False
         self._init_registry()
 
+        self.key = lru_cache(4096)(self.key)
+
     def _init_registry(self) -> None:
         dirs = [
             ("sysvol/windows/system32/config", False),
@@ -217,7 +220,6 @@ class RegistryPlugin(Plugin):
         return self.key()
 
     @internal
-    @lru_cache(4096)
     def key(self, key: Optional[str] = None) -> KeyCollection:
         """Query the virtual registry on the given key.
 

{dissect.target-3.16.dev29.dist-info → dissect.target-3.16.dev31.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.16.dev29
+Version: 3.16.dev31
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.16.dev29.dist-info → dissect.target-3.16.dev31.dist-info}/RECORD

@@ -143,7 +143,7 @@ dissect/target/plugins/apps/webserver/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCe
 dissect/target/plugins/apps/webserver/apache.py,sha256=bD6_XObfO7W-cFlLRWyhdwEfw-Y57JBi47rWnXCx-vg,15026
 dissect/target/plugins/apps/webserver/caddy.py,sha256=qZsAK_tILGvroV4SWkDKc-Otwd41bUEtv9H9TuHmt-0,6422
 dissect/target/plugins/apps/webserver/citrix.py,sha256=FEPdBteEJeeGg3B95W_27O9wLJVhenEc5A5fSLDmK18,3044
-dissect/target/plugins/apps/webserver/iis.py,sha256=UwRVzLqnKScijdLoZFfpkSUzKTQosicZpn16q__4QBU,14669
+dissect/target/plugins/apps/webserver/iis.py,sha256=t92JGTuMbBlUma5BVurdOuzUYvrjpgT8NEHpu9Xz5F0,14734
 dissect/target/plugins/apps/webserver/nginx.py,sha256=WA5soi1FU1c44oHRcyOoHK3gH8Jzc_Qi5uXcimDYukw,4129
 dissect/target/plugins/apps/webserver/webserver.py,sha256=a7a2lLrhsa9c1AXnwiLP-tqVv-IUbmaVaSZI5S0fKa8,1500
 dissect/target/plugins/child/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -201,7 +201,7 @@ dissect/target/plugins/os/unix/bsd/osx/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JC
 dissect/target/plugins/os/unix/bsd/osx/_os.py,sha256=KvP7YJ7apVwoIop7MR-8q5QbVGoB6MdR42l6ssEe6es,4081
 dissect/target/plugins/os/unix/bsd/osx/user.py,sha256=qopB0s3n7e6Q7NjWzn8Z-dKtDtU7e6In4Vm7hIvvedo,2322
 dissect/target/plugins/os/unix/esxi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/os/unix/esxi/_os.py,sha256=V3HtCdlZ5gl-aUhrHhzmUwH29iMrIxZCg3l48MjdCYI,15610
+dissect/target/plugins/os/unix/esxi/_os.py,sha256=jqw71St-L_BiREai8bw27oFOrLK4_GuEDLUTK5FMGLU,17498
 dissect/target/plugins/os/unix/linux/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/linux/_os.py,sha256=YJYwuq_iAinOrPqTE49Q4DLYMWBeRCly1uTbDvPhp6Q,2796
 dissect/target/plugins/os/unix/linux/cmdline.py,sha256=XIvaTL42DzeQGhqHN_RTMI5g8hbI2_wjzb7KZ0kPOM0,1591
@@ -261,7 +261,7 @@ dissect/target/plugins/os/windows/locale.py,sha256=yXVdclpUqss9h8Nq7N4kg3OHwWGDf
 dissect/target/plugins/os/windows/notifications.py,sha256=64xHHueHwtJCc8RTAF70oa0RxvqfCu_DBPWRSZBnYZc,17386
 dissect/target/plugins/os/windows/prefetch.py,sha256=5hRxdIP9sIV5Q9TAScMjLbl_mImZ37abvdE_pAd6rh4,10398
 dissect/target/plugins/os/windows/recyclebin.py,sha256=4GSj0Q3YvONufnqANbnG0ffiMQyToCiL5s35Wmu4JOQ,4898
-dissect/target/plugins/os/windows/registry.py,sha256=IBRqltJ_4fZpVuwMVCAH_nS8JUaNVjsC1jh9AZSNHL4,12788
+dissect/target/plugins/os/windows/registry.py,sha256=EfqUkgbzaqTuq1kIPYNG1TfvJxhJE5X-TEjV3K_xsPU,12814
 dissect/target/plugins/os/windows/sam.py,sha256=Es_8ROQ6R6-akuTtegCdsJHXzZJNhzgoFuS8y9xNN8E,15267
 dissect/target/plugins/os/windows/services.py,sha256=_6YkuoZD8LUxk72R3n1p1bOBab3A1wszdB1NuPavIGM,6037
 dissect/target/plugins/os/windows/sru.py,sha256=sOM7CyMkW8XIXzI75GL69WoqUrSK2X99TFIfdQR2D64,17767
@@ -280,9 +280,9 @@ dissect/target/plugins/os/windows/exchange/__init__.py,sha256=47DEQpj8HBSa-_TImW
 dissect/target/plugins/os/windows/exchange/exchange.py,sha256=ofoapuDQXefIX4sTzwNboyk5RztN2JEyw1OWl5cx-wo,1564
 dissect/target/plugins/os/windows/log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/windows/log/amcache.py,sha256=TabtjNx9Ve-u-Fn0K95A0v_SLGzn2YeNPHrcQvjVKJc,5877
-dissect/target/plugins/os/windows/log/etl.py,sha256=9skhXdKvgmdKE1f3P9MhxvLprKvIGBv5RhOHq-XK91U,6966
+dissect/target/plugins/os/windows/log/etl.py,sha256=Rau1zqPJ5LL91j59nC4Jg81KF2t1uuMx-oQp9JK0a00,7049
 dissect/target/plugins/os/windows/log/evt.py,sha256=vK9XHc-hOxf6BbLKMNzGNlbCRWN2nlksQoCLdHqPgnw,7049
-dissect/target/plugins/os/windows/log/evtx.py,sha256=Ue-6uX-vMfzmmSN5bQgEXks0E42Yx-zPl3Gy1TCa6Cg,6038
+dissect/target/plugins/os/windows/log/evtx.py,sha256=C1JM64GW7z82qT9K9hIiyCv0EFxszFD9GVvtUZUHdL4,6096
 dissect/target/plugins/os/windows/log/pfro.py,sha256=BCjg3OZzkIP4-HzRa1b1dPkDv_B4sbd78fl40obUVkM,2706
 dissect/target/plugins/os/windows/log/schedlgu.py,sha256=vzMOcCSrGRTMNQUZzvyQorZzbTNgs1UJiPe0zeOOupQ,5515
 dissect/target/plugins/os/windows/regf/7zip.py,sha256=Vc336zhS6R8W98GGlLtPJ_OR0vEP014QnBtYwbx_HUo,3217
@@ -331,10 +331,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.16.dev29.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.16.dev29.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.16.dev29.dist-info/METADATA,sha256=qyLj7ZGXe4UjRPqGCfnwa08qYNrNfO8oM64J6KwfC8Y,11107
-dissect.target-3.16.dev29.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-dissect.target-3.16.dev29.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.16.dev29.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.16.dev29.dist-info/RECORD,,
+dissect.target-3.16.dev31.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.16.dev31.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.16.dev31.dist-info/METADATA,sha256=bQJydAA40PRNfKgAuW4LJCissMW3rELgyfBIyapzadU,11107
+dissect.target-3.16.dev31.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+dissect.target-3.16.dev31.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.16.dev31.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.16.dev31.dist-info/RECORD,,