dissect.target 3.16.dev44__py3-none-any.whl → 3.17__py3-none-any.whl

dissect/target/helpers/compat/path_common.py

@@ -3,6 +3,7 @@ from __future__ import annotations
 import io
 import posixpath
 import stat
+import sys
 from typing import IO, TYPE_CHECKING, Iterator, Literal, Optional
 
 if TYPE_CHECKING:
@@ -27,11 +28,24 @@ try:
             self._fs = path._fs
             self._flavour = path._flavour
 
-        def __getitem__(self, idx: int) -> TargetPath:
-            result = super().__getitem__(idx)
-            result._fs = self._fs
-            result._flavour = self._flavour
-            return result
+        if sys.version_info >= (3, 10):
+
+            def __getitem__(self, idx: int) -> TargetPath:
+                result = super().__getitem__(idx)
+                result._fs = self._fs
+                result._flavour = self._flavour
+                return result
+
+        else:
+
+            def __getitem__(self, idx: int) -> TargetPath:
+                if idx < 0:
+                    idx = len(self) + idx
+
+                result = super().__getitem__(idx)
+                result._fs = self._fs
+                result._flavour = self._flavour
+                return result
 
 except ImportError:
     pass

dissect/target/helpers/configutil.py

@@ -3,6 +3,7 @@ from __future__ import annotations
 import io
 import json
 import re
+import sys
 from collections import deque
 from configparser import ConfigParser, MissingSectionHeaderError
 from dataclasses import dataclass
@@ -28,11 +29,22 @@ from dissect.target.filesystem import FilesystemEntry
 from dissect.target.helpers.fsutil import TargetPath
 
 try:
-    import yaml
+    from ruamel.yaml import YAML
 
-    PY_YAML = True
-except (AttributeError, ImportError):
-    PY_YAML = False
+    HAS_YAML = True
+except ImportError:
+    HAS_YAML = False
+
+try:
+    if sys.version_info < (3, 11):
+        import tomli as toml
+    else:
+        # tomllib is included since python 3.11
+        import tomllib as toml  # novermin
+
+    HAS_TOML = True
+except ImportError:
+    HAS_TOML = False
 
 
 def _update_dictionary(current: dict[str, Any], key: str, value: Any) -> None:
@@ -401,11 +413,21 @@ class Yaml(ConfigurationParser):
     """Parses a Yaml file."""
 
     def parse_file(self, fh: TextIO) -> None:
-        if PY_YAML:
-            parsed_data = yaml.load(fh, yaml.BaseLoader)
+        if HAS_YAML:
+            parsed_data = YAML(typ="safe").load(fh)
             self.parsed_data = ListUnwrapper.unwrap(parsed_data)
         else:
-            raise ConfigurationParsingError("Failed to parse file, please install PyYAML.")
+            raise ConfigurationParsingError("Failed to parse file, please install ruamel.yaml.")
+
+
+class Toml(ConfigurationParser):
+    """Parses a Toml file."""
+
+    def parse_file(self, fh: TextIO) -> None:
+        if HAS_TOML:
+            self.parsed_data = toml.loads(fh.read())
+        else:
+            raise ConfigurationParsingError("Failed to parse file, please install tomli.")
 
 
 class ScopeManager:
@@ -696,6 +718,7 @@ CONFIG_MAP: dict[tuple[str, ...], ParserConfig] = {
     "sample": ParserConfig(Txt),
     "systemd": ParserConfig(SystemD),
     "template": ParserConfig(Txt),
+    "toml": ParserConfig(Toml),
 }
 
 KNOWN_FILES: dict[str, type[ConfigurationParser]] = {

dissect/target/helpers/network_managers.py

@@ -1,9 +1,13 @@
+from __future__ import annotations
+
+import logging
 import re
 from collections import defaultdict
 from configparser import ConfigParser, MissingSectionHeaderError
 from io import StringIO
+from itertools import chain
 from re import compile, sub
-from typing import Any, Callable, Iterable, Match, Optional, Union
+from typing import Any, Callable, Iterable, Match, Optional
 
 from defusedxml import ElementTree
 
@@ -11,12 +15,14 @@ from dissect.target.exceptions import PluginError
 from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.target import Target
 
+log = logging.getLogger(__name__)
+
 try:
-    import yaml
+    from ruamel.yaml import YAML
 
-    PY_YAML = True
+    HAS_YAML = True
 except ImportError:
-    PY_YAML = False
+    HAS_YAML = False
 
 IGNORED_IPS = [
     "0.0.0.0",
@@ -49,7 +55,7 @@ class Template:
         """Sets the name of the the used parsing template to the name of the discovered network manager."""
         self.name = name
 
-    def create_config(self, path: TargetPath) -> Union[dict, None]:
+    def create_config(self, path: TargetPath) -> Optional[dict]:
         """Create a network config dictionary based on the configured template and supplied path.
 
         Args:
@@ -60,7 +66,7 @@ class Template:
         """
 
         if not path.exists() or path.is_dir():
-            self.target.log.debug("Failed to get config file %s", path)
+            log.debug("Failed to get config file %s", path)
             config = None
 
         if self.name == "netplan":
@@ -73,26 +79,26 @@ class Template:
             config = self._parse_configparser_config(path)
         return config
 
-    def _parse_netplan_config(self, fh: TargetPath) -> Union[dict, None]:
+    def _parse_netplan_config(self, path: TargetPath) -> Optional[dict]:
         """Internal function to parse a netplan YAML based configuration file into a dict.
 
         Args:
-            fh: A file-like object to the configuration file to be parsed.
+            fh: A path to the configuration file to be parsed.
 
         Returns:
             Dictionary containing the parsed YAML based configuration file.
         """
-        if PY_YAML:
-            return self.parser(stream=fh.open(), Loader=yaml.FullLoader)
+        if HAS_YAML:
+            return self.parser(path.open("rb"))
         else:
-            self.target.log.error("Failed to parse %s. Cannot import PyYAML", self.name)
+            log.error("Failed to parse %s. Cannot import ruamel.yaml", self.name)
             return None
 
-    def _parse_wicked_config(self, fh: TargetPath) -> dict:
+    def _parse_wicked_config(self, path: TargetPath) -> dict:
         """Internal function to parse a wicked XML based configuration file into a dict.
 
         Args:
-            fh: A file-like object to the configuration file to be parsed.
+            fh: A path to the configuration file to be parsed.
 
         Returns:
             Dictionary containing the parsed xml based Linux network manager based configuration file.
@@ -101,44 +107,43 @@ class Template:
         # we have to replace the ":" for this with "___" (three underscores) to make the xml config non-namespaced.
         pattern = compile(r"(?<=\n)\s+(<.+?>)")
         replace_match: Callable[[Match]] = lambda match: match.group(1).replace(":", "___")
-        text = sub(pattern, replace_match, fh.open("rt").read())
+        text = sub(pattern, replace_match, path.open("rt").read())
 
         xml = self.parser.parse(StringIO(text))
         return self._parse_xml_config(xml, self.sections, self.options)
 
-    def _parse_configparser_config(self, fh: TargetPath) -> dict:
+    def _parse_configparser_config(self, path: TargetPath) -> dict:
         """Internal function to parse ConfigParser compatible configuration files into a dict.
 
         Args:
-            fh: A file-like object to the configuration file to be parsed.
+            path: A path to the configuration file to be parsed.
 
         Returns:
             Dictionary containing the parsed ConfigParser compatible configuration file.
         """
         try:
-            self.parser.read_string(fh.open("rt").read(), fh.name)
+            self.parser.read_string(path.open("rt").read(), path.name)
             return self.parser._sections
         except MissingSectionHeaderError:
             # configparser does like config files without headers, so we inject a header to make it work.
-            self.parser.read_string(f"[{self.name}]\n" + fh.open("rt").read(), fh.name)
+            self.parser.read_string(f"[{self.name}]\n" + path.open("rt").read(), path.name)
             return self.parser._sections
 
-    def _parse_text_config(self, comments: str, delim: str, fh: TargetPath) -> dict:
+    def _parse_text_config(self, comments: str, delim: str, path: TargetPath) -> dict:
         """Internal function to parse a basic plain text based configuration file into a dict.
 
         Args:
             comments: A string value defining the comment style of the configuration file.
             delim: A string value defining the delimiters used in the configuration file.
-            fh: A file-like object to the configuration file to be parsed.
+            path: A path to the configuration file to be parsed.
 
         Returns:
             Dictionary with a parsed plain text based Linux network manager configuration file.
         """
         config = defaultdict(dict)
         option_dict = {}
-        fh = fh.open("rt")
 
-        for line in fh.readlines():
+        for line in path.open("rt"):
             line = line.strip()
 
             if not line or line.startswith(comments):
@@ -279,7 +284,7 @@ class Parser:
             if option in translation_values and value:
                 return translation_key
 
-    def _get_option(self, config: dict, option: str, section: Optional[str] = None) -> Union[str, Callable]:
+    def _get_option(self, config: dict, option: str, section: Optional[str] = None) -> Optional[str | Callable]:
         """Internal function to get arbitrary options values from a parsed (non-translated) dictionary.
 
         Args:
@@ -290,8 +295,14 @@ class Parser:
         Returns:
             Value(s) corrensponding to that network configuration option.
         """
+        if not config:
+            log.error("Cannot get option %s: No config to parse", option)
+            return
+
         if section:
-            config = config[section]
+            # account for values of sections which are None
+            config = config.get(section, {}) or {}
+
         for key, value in config.items():
             if key == option:
                 return value
@@ -365,7 +376,7 @@ class NetworkManager:
         if self.registered:
             self.config = self.parser.parse()
         else:
-            self.target.log.error("Network manager %s is not registered. Cannot parse config.", self.name)
+            log.error("Network manager %s is not registered. Cannot parse config.", self.name)
 
     @property
     def interface(self) -> set:
@@ -499,7 +510,7 @@ class LinuxNetworkManager:
 
 
 def parse_unix_dhcp_log_messages(target) -> list[str]:
-    """Parse local syslog and cloud init log files for DHCP lease IPs.
+    """Parse local syslog, journal and cloud init-log files for DHCP lease IPs.
 
     Args:
         target: Target to discover and obtain network information from.
@@ -507,53 +518,68 @@ def parse_unix_dhcp_log_messages(target) -> list[str]:
     Returns:
         List of DHCP ip addresses.
     """
-    ips = []
-
-    # Search through parsed syslogs for DHCP leases.
-    try:
-        messages = target.messages()
-        for record in messages:
-            line = record.message
-
-            # Ubuntu DHCP
-            if ("DHCPv4" in line or "DHCPv6" in line) and " address " in line and " via " in line:
-                ip = line.split(" address ")[1].split(" via ")[0].strip().split("/")[0]
-                if ip not in ips:
-                    ips.append(ip)
-
-            # Ubuntu DHCP NetworkManager
-            elif "option ip_address" in line and ("dhcp4" in line or "dhcp6" in line) and "=> '" in line:
-                ip = line.split("=> '")[1].replace("'", "").strip()
-                if ip not in ips:
-                    ips.append(ip)
-
-            # Debian and CentOS dhclient
-            elif record.daemon == "dhclient" and "bound to" in line:
-                ip = line.split("bound to")[1].split(" ")[1].strip()
-                if ip not in ips:
-                    ips.append(ip)
-
-            # CentOS DHCP and general NetworkManager
-            elif " address " in line and ("dhcp4" in line or "dhcp6" in line):
-                ip = line.split(" address ")[1].strip()
-                if ip not in ips:
-                    ips.append(ip)
-
-    except PluginError:
-        target.log.debug("Can not search for DHCP leases in syslog files as they does not exist.")
-
-    # A unix system might be provisioned using Ubuntu's cloud-init (https://cloud-init.io/).
-    if (path := target.fs.path("/var/log/cloud-init.log")).exists():
-        for line in path.open("rt"):
-            # We are interested in the following log line:
-            # YYYY-MM-DD HH:MM:SS,000 - dhcp.py[DEBUG]: Received dhcp lease on IFACE for IP/MASK
-            if "Received dhcp lease on" in line:
-                interface, ip, netmask = re.search(r"Received dhcp lease on (\w{0,}) for (\S+)\/(\S+)", line).groups()
-                if ip not in ips:
-                    ips.append(ip)
+    ips = set()
+    messages = set()
 
-    if not path and not messages:
-        target.log.warning("Can not search for DHCP leases in syslog or cloud-init.log files as they does not exist.")
+    for log_func in ["messages", "journal"]:
+        try:
+            messages = chain(messages, getattr(target, log_func)())
+        except PluginError:
+            target.log.debug(f"Could not search for DHCP leases in {log_func} files.")
+
+    if not messages:
+        target.log.warning(f"Could not search for DHCP leases using {log_func}: No log entries found.")
+
+    for record in messages:
+        line = record.message
+
+        # Ubuntu cloud-init
+        if "Received dhcp lease on" in line:
+            interface, ip, netmask = re.search(r"Received dhcp lease on (\w{0,}) for (\S+)\/(\S+)", line).groups()
+            ips.add(ip)
+            continue
+
+        # Ubuntu DHCP
+        if ("DHCPv4" in line or "DHCPv6" in line) and " address " in line and " via " in line:
+            ip = line.split(" address ")[1].split(" via ")[0].strip().split("/")[0]
+            ips.add(ip)
+            continue
+
+        # Ubuntu DHCP NetworkManager
+        if "option ip_address" in line and ("dhcp4" in line or "dhcp6" in line) and "=> '" in line:
+            ip = line.split("=> '")[1].replace("'", "").strip()
+            ips.add(ip)
+            continue
+
+        # Debian and CentOS dhclient
+        if hasattr(record, "daemon") and record.daemon == "dhclient" and "bound to" in line:
+            ip = line.split("bound to")[1].split(" ")[1].strip()
+            ips.add(ip)
+            continue
+
+        # CentOS DHCP and general NetworkManager
+        if " address " in line and ("dhcp4" in line or "dhcp6" in line):
+            ip = line.split(" address ")[1].strip()
+            ips.add(ip)
+            continue
+
+        # Ubuntu/Debian DHCP networkd (Journal)
+        if (
+            hasattr(record, "code_func")
+            and record.code_func == "dhcp_lease_acquired"
+            and " address " in line
+            and " via " in line
+        ):
+            interface, ip, netmask, gateway = re.search(
+                r"^(\S+): DHCPv[4|6] address (\S+)\/(\S+) via (\S+)", line
+            ).groups()
+            ips.add(ip)
+            continue
+
+        # Journals and syslogs can be large and slow to iterate,
+        # so we stop if we have some results and have reached the journal plugin.
+        if len(ips) >= 2 and record._desc.name == "linux/log/journal":
+            break
 
     return ips
 
@@ -631,7 +657,9 @@ TEMPLATES = {
         ["netctl"],
         ["address", "gateway", "dns", "ip"],
     ),
-    "netplan": Template("netplan", yaml.load if PY_YAML else None, ["network"], ["addresses", "dhcp4", "gateway4"]),
+    "netplan": Template(
+        "netplan", YAML(typ="safe").load if HAS_YAML else None, ["network"], ["addresses", "dhcp4", "gateway4"]
+    ),
     "NetworkManager": Template(
         "NetworkManager",
         ConfigParser(delimiters=("="), comment_prefixes="#", dict_type=dict),

dissect/target/helpers/record_modifier.py

@@ -62,13 +62,16 @@ MODIFIER_MAPPING = {
 
 def _resolve_path_types(target: Target, record: Record) -> Iterator[tuple[str, TargetPath]]:
     for field_name, field_type in record._field_types.items():
-        if not issubclass(field_type, fieldtypes.path):
+        if not issubclass(field_type, (fieldtypes.path, fieldtypes.command)):
             continue
 
         path = getattr(record, field_name, None)
         if path is None:
             continue
 
+        if isinstance(path, fieldtypes.command):
+            path = path.executable
+
         yield field_name, target.resolve(str(path))
 
 

dissect/target/loader.py

@@ -77,7 +77,7 @@ class Loader:
         raise NotImplementedError()
 
     @staticmethod
-    def find_all(path: Path) -> Iterator[Path]:
+    def find_all(path: Path, **kwargs) -> Iterator[Path]:
         """Finds all targets to load from ``path``.
 
         This can be used to open multiple targets from a target path that doesn't necessarily map to files on a disk.
@@ -176,6 +176,7 @@ def open(item: Union[str, Path], *args, **kwargs) -> Loader:
 
 register("local", "LocalLoader")
 register("remote", "RemoteLoader")
+register("mqtt", "MQTTLoader")
 register("targetd", "TargetdLoader")
 register("asdf", "AsdfLoader")
 register("tar", "TarLoader")
@@ -198,6 +199,7 @@ register("target", "TargetLoader")
 register("log", "LogLoader")
 # Disabling ResLoader because of DIS-536
 # register("res", "ResLoader")
+register("overlay", "Overlay2Loader")
 register("phobos", "PhobosLoader")
 register("velociraptor", "VelociraptorLoader")
 register("smb", "SmbLoader")

dissect/target/loaders/dir.py

@@ -1,9 +1,11 @@
 from __future__ import annotations
 
 import zipfile
+from collections import defaultdict
 from pathlib import Path
 from typing import TYPE_CHECKING
 
+from dissect.target.filesystem import LayerFilesystem
 from dissect.target.filesystems.dir import DirectoryFilesystem
 from dissect.target.filesystems.zip import ZipFilesystem
 from dissect.target.helpers import loaderutil
@@ -48,6 +50,7 @@ def map_dirs(target: Target, dirs: list[Path | tuple[str, Path]], os_type: str,
         alt_separator = "\\"
         case_sensitive = False
 
+    drive_letter_map = defaultdict(list)
     for path in dirs:
         drive_letter = None
         if isinstance(path, tuple):
@@ -59,13 +62,28 @@ def map_dirs(target: Target, dirs: list[Path | tuple[str, Path]], os_type: str,
             dfs = ZipFilesystem(path.root.fp, path.at, alt_separator=alt_separator, case_sensitive=case_sensitive)
         else:
             dfs = DirectoryFilesystem(path, alt_separator=alt_separator, case_sensitive=case_sensitive)
-        target.filesystems.add(dfs)
 
-        if os_type == OperatingSystem.WINDOWS:
-            loaderutil.add_virtual_ntfs_filesystem(target, dfs, **kwargs)
+        drive_letter_map[drive_letter].append(dfs)
+
+    fs_to_add = []
+    for drive_letter, dfs in drive_letter_map.items():
+        if drive_letter is not None:
+            if len(dfs) > 1:
+                vfs = LayerFilesystem()
+                for fs in dfs:
+                    vfs.append_fs_layer(fs)
+            else:
+                vfs = dfs[0]
 
-            if drive_letter is not None:
-                target.fs.mount(drive_letter.lower() + ":", dfs)
+            fs_to_add.append(vfs)
+            target.fs.mount(drive_letter.lower() + ":", vfs)
+        else:
+            fs_to_add.extend(dfs)
+
+    for fs in fs_to_add:
+        target.filesystems.add(fs)
+        if os_type == OperatingSystem.WINDOWS:
+            loaderutil.add_virtual_ntfs_filesystem(target, fs, **kwargs)
 
 
 def find_and_map_dirs(target: Target, path: Path, **kwargs) -> None:

dissect/target/loaders/itunes.py

@@ -28,9 +28,9 @@ except ImportError:
 try:
     from Crypto.Cipher import AES
 
-    HAS_PYCRYPTODOME = True
+    HAS_CRYPTO = True
 except ImportError:
-    HAS_PYCRYPTODOME = False
+    HAS_CRYPTO = False
 
 
 DOMAIN_TRANSLATION = {
@@ -383,7 +383,7 @@ def _create_cipher(key: bytes, iv: bytes = b"\x00" * 16, mode: str = "cbc") -> A
             raise ValueError(f"Invalid key size: {key_size}")
 
         return _pystandalone.cipher(f"aes-{key_size * 8}-{mode}", key, iv)
-    elif HAS_PYCRYPTODOME:
+    elif HAS_CRYPTO:
         mode_map = {
             "cbc": (AES.MODE_CBC, True),
             "ecb": (AES.MODE_ECB, False),