dissect.target 3.16.dev45__py3-none-any.whl → 3.17__py3-none-any.whl

dissect/target/plugins/os/windows/dpapi/crypto.py

@@ -4,7 +4,12 @@ import hashlib
 import hmac
 from typing import Optional, Union
 
-from Crypto.Cipher import AES, ARC4
+try:
+    from Crypto.Cipher import AES, ARC4
+
+    HAS_CRYPTO = True
+except ImportError:
+    HAS_CRYPTO = False
 
 CIPHER_ALGORITHMS: dict[Union[int, str], CipherAlgorithm] = {}
 HASH_ALGORITHMS: dict[Union[int, str], HashAlgorithm] = {}
@@ -62,6 +67,9 @@ class _AES(CipherAlgorithm):
     block_length = 128 // 8
 
     def decrypt(self, data: bytes, key: bytes, iv: Optional[bytes] = None) -> bytes:
+        if not HAS_CRYPTO:
+            raise RuntimeError("Missing pycryptodome dependency")
+
         cipher = AES.new(
             key[: self.key_length], mode=AES.MODE_CBC, IV=iv[: self.iv_length] if iv else b"\x00" * self.iv_length
         )
@@ -93,6 +101,9 @@ class _RC4(CipherAlgorithm):
     block_length = 1 // 8
 
     def decrypt(self, data: bytes, key: bytes, iv: Optional[bytes] = None) -> bytes:
+        if not HAS_CRYPTO:
+            raise RuntimeError("Missing pycryptodome dependency")
+
         cipher = ARC4.new(key[: self.key_length])
         return cipher.decrypt(data)
 

dissect/target/plugins/os/windows/dpapi/dpapi.py

@@ -1,21 +1,27 @@
 import hashlib
 import re
-from functools import cached_property
+from functools import cache, cached_property
 from pathlib import Path
 
-from Crypto.Cipher import AES
+try:
+    from Crypto.Cipher import AES
+
+    HAS_CRYPTO = True
+except ImportError:
+    HAS_CRYPTO = False
+
 
-from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers import keychain
 from dissect.target.plugin import InternalPlugin
 from dissect.target.plugins.os.windows.dpapi.blob import Blob as DPAPIBlob
 from dissect.target.plugins.os.windows.dpapi.master_key import CredSystem, MasterKeyFile
+from dissect.target.target import Target
 
 
 class DPAPIPlugin(InternalPlugin):
     __namespace__ = "dpapi"
 
-    # This matches master key file names
     MASTER_KEY_REGEX = re.compile("^[0-9a-f]{8}(?:-[0-9a-f]{4}){3}-[0-9a-f]{12}$")
 
     SECURITY_POLICY_KEY = "HKEY_LOCAL_MACHINE\\SECURITY\\Policy"
@@ -25,11 +31,26 @@ class DPAPIPlugin(InternalPlugin):
 
     def __init__(self, target: Target):
         super().__init__(target)
+        self.keychain = cache(self.keychain)
 
     def check_compatible(self) -> None:
+        if not HAS_CRYPTO:
+            raise UnsupportedPluginError("Missing pycryptodome dependency")
+
         if not list(self.target.registry.keys(self.SYSTEM_KEY)):
             raise UnsupportedPluginError(f"Registry key not found: {self.SYSTEM_KEY}")
 
+    def keychain(self) -> set:
+        passwords = set()
+
+        for key in keychain.get_keys_for_provider("user") + keychain.get_keys_without_provider():
+            if key.key_type == keychain.KeyType.PASSPHRASE:
+                passwords.add(key.value)
+
+        # It is possible to encrypt using an empty passphrase.
+        passwords.add("")
+        return passwords
+
     @cached_property
     def syskey(self) -> bytes:
         lsa = self.target.registry.key(self.SYSTEM_KEY)
@@ -84,6 +105,10 @@ class DPAPIPlugin(InternalPlugin):
 
         return result
 
+    @cached_property
+    def _users(self) -> dict[str, dict[str, str]]:
+        return {u.name: {"sid": u.sid} for u in self.target.users()}
+
     def _load_master_keys_from_path(self, username: str, path: Path) -> dict[str, MasterKeyFile]:
         if not path.exists():
             return {}
@@ -104,21 +129,51 @@ class DPAPIPlugin(InternalPlugin):
                     if not mkf.decrypted:
                         raise Exception("Failed to decrypt System master key")
 
+                if user := self._users.get(username):
+                    for mk_pass in self.keychain():
+                        if mkf.decrypt_with_password(user["sid"], mk_pass):
+                            break
+
+                        try:
+                            if mkf.decrypt_with_hash(user["sid"], bytes.fromhex(mk_pass)) is True:
+                                break
+                        except ValueError:
+                            pass
+
+                    if not mkf.decrypted:
+                        self.target.log.warning("Could not decrypt DPAPI master key for username '%s'", username)
+
                 result[file.name] = mkf
 
         return result
 
     def decrypt_system_blob(self, data: bytes) -> bytes:
+        """Decrypt the given bytes using the System master key."""
+        return self.decrypt_user_blob(data, self.SYSTEM_USERNAME)
+
+    def decrypt_user_blob(self, data: bytes, username: str) -> bytes:
+        """Decrypt the given bytes using the master key of the given user."""
         blob = DPAPIBlob(data)
 
-        if not (mk := self.master_keys.get(self.SYSTEM_USERNAME, {}).get(blob.guid)):
-            raise ValueError("Blob UUID is unknown to system master keys")
+        if not (mk := self.master_keys.get(username, {}).get(blob.guid)):
+            raise ValueError(f"Blob UUID is unknown to {username} master keys")
 
         if not blob.decrypt(mk.key):
-            raise ValueError("Failed to decrypt system blob")
+            raise ValueError(f"Failed to decrypt blob for user {username}")
 
         return blob.clear_text
 
+    def decrypt_blob(self, data: bytes) -> bytes:
+        """Attempt to decrypt the given bytes using any of the available master keys."""
+        blob = DPAPIBlob(data)
+
+        for user in self.master_keys:
+            for mk in self.master_keys[user].values():
+                if blob.decrypt(mk.key):
+                    return blob.clear_text
+
+        raise ValueError("Failed to decrypt blob")
+
 
 def _decrypt_aes(data: bytes, key: bytes) -> bytes:
     ctx = hashlib.sha256()

dissect/target/plugins/os/windows/dpapi/master_key.py

@@ -1,4 +1,5 @@
 import hashlib
+import logging
 from io import BytesIO
 from typing import BinaryIO
 
@@ -11,6 +12,16 @@ from dissect.target.plugins.os.windows.dpapi.crypto import (
     dpapi_hmac,
 )
 
+try:
+    from Crypto.Hash import MD4
+
+    HAS_CRYPTO = True
+except ImportError:
+    HAS_CRYPTO = False
+
+log = logging.getLogger(__name__)
+
+
 master_key_def = """
 struct DomainKey {
     DWORD   dwVersion;
@@ -85,9 +96,18 @@ class MasterKey:
 
     def decrypt_with_password(self, user_sid: str, pwd: str) -> bool:
         """Decrypts the master key with the given user's password and SID."""
+        pwd = pwd.encode("utf-16-le")
+
         for algo in ["sha1", "md4"]:
-            pwd_hash = hashlib.new(algo, pwd.encode("utf-16-le")).digest()
-            self.decrypt_with_key(derive_password_hash(pwd_hash, user_sid))
+            if algo in hashlib.algorithms_available:
+                pwd_hash = hashlib.new(algo, pwd)
+            elif HAS_CRYPTO and algo == "md4":
+                pwd_hash = MD4.new(pwd)
+            else:
+                log.warning("No cryptography capabilities for algorithm %s", algo)
+                continue
+
+            self.decrypt_with_key(derive_password_hash(pwd_hash.digest(), user_sid))
             if self.decrypted:
                 break
 

dissect/target/plugins/os/windows/regf/runkeys.py

@@ -1,3 +1,5 @@
+from typing import Iterator
+
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import (
     RegistryRecordDescriptorExtension,
@@ -11,7 +13,7 @@ RunKeyRecord = create_extended_descriptor([RegistryRecordDescriptorExtension, Us
     [
         ("datetime", "ts"),
         ("wstring", "name"),
-        ("string", "path"),
+        ("command", "command"),
         ("string", "key"),
     ],
 )
@@ -48,7 +50,7 @@ class RunKeysPlugin(Plugin):
             raise UnsupportedPluginError("No registry run key found")
 
     @export(record=RunKeyRecord)
-    def runkeys(self):
+    def runkeys(self) -> Iterator[RunKeyRecord]:
         """Iterate various run key locations. See source for all locations.
 
         Run keys (Run and RunOnce) are registry keys that make a program run when a user logs on. a Run key runs every
@@ -63,7 +65,7 @@ class RunKeysPlugin(Plugin):
             domain (string): The target domain.
             ts (datetime): The registry key last modified timestamp.
             name (string): The run key name.
-            path (string): The run key path.
+            command (command): The run key command.
             key (string): The source key for this run key.
         """
         for key in self.KEYS:
@@ -73,7 +75,7 @@ class RunKeysPlugin(Plugin):
                     yield RunKeyRecord(
                         ts=r.ts,
                         name=entry.name,
-                        path=entry.value,
+                        command=entry.value,
                         key=key,
                         _target=self.target,
                         _key=r,

dissect/target/plugins/os/windows/sam.py

@@ -2,7 +2,13 @@ from hashlib import md5, sha256
 from struct import pack
 from typing import Iterator
 
-from Crypto.Cipher import AES, ARC4, DES
+try:
+    from Crypto.Cipher import AES, ARC4, DES
+
+    HAS_CRYPTO = True
+except ImportError:
+    HAS_CRYPTO = False
+
 from dissect import cstruct
 from dissect.util import ts
 
@@ -295,6 +301,9 @@ class SamPlugin(Plugin):
     SAM_KEY = "HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account"
 
     def check_compatible(self) -> None:
+        if not HAS_CRYPTO:
+            raise UnsupportedPluginError("Missing pycryptodome dependency")
+
         if not len(list(self.target.registry.keys(self.SAM_KEY))) > 0:
             raise UnsupportedPluginError(f"Registry key not found: {self.SAM_KEY}")
 

dissect/target/target.py

@@ -280,7 +280,7 @@ class Target:
                     continue
 
                 getlogger(entry).debug("Attempting to use loader: %s", loader_cls)
-                for sub_entry in loader_cls.find_all(entry):
+                for sub_entry in loader_cls.find_all(entry, parsed_path=parsed_path):
                     try:
                         ldr = loader_cls(sub_entry, parsed_path=parsed_path)
                     except Exception as e:

dissect/target/tools/dump/run.py

@@ -7,7 +7,7 @@ import sys
 from collections import deque
 from dataclasses import dataclass
 from pathlib import Path
-from typing import Any, Generator, Iterable, List, Optional, Tuple
+from typing import Any, Iterable, Iterator, Optional
 
 import structlog
 from flow.record import Record
@@ -25,10 +25,12 @@ from dissect.target.tools.dump.utils import (
     Compression,
     Serialization,
     cached_sink_writers,
-    get_nested_attr,
 )
 from dissect.target.tools.utils import (
+    PluginFunction,
     configure_generic_arguments,
+    execute_function_on_target,
+    find_and_filter_plugins,
     process_generic_arguments,
 )
 
@@ -44,13 +46,13 @@ class RecordStreamElement:
     sink_path: Optional[Path] = None
 
 
-def get_targets(targets: List[str]) -> Generator[Target, None, None]:
+def get_targets(targets: list[str]) -> Iterator[Target]:
     """Return a generator with `Target` objects for provided paths"""
     for target in Target.open_all(targets):
         yield target
 
 
-def execute_function(target: Target, function: str) -> Generator[TargetRecordDescriptor, None, None]:
+def execute_function(target: Target, function: PluginFunction) -> TargetRecordDescriptor:
     """
     Execute function `function` on provided target `target` and return a generator
     with the records produced.
@@ -62,7 +64,7 @@ def execute_function(target: Target, function: str) -> Generator[TargetRecordDes
     local_log.debug("Function execution")
 
     try:
-        target_attr = get_nested_attr(target, function)
+        output_type, target_attr, _ = execute_function_on_target(target, function)
     except UnsupportedPluginError:
         local_log.error("Function is not supported for target", exc_info=True)
         return
@@ -70,15 +72,8 @@ def execute_function(target: Target, function: str) -> Generator[TargetRecordDes
         local_log.error("Plugin error while executing function for target", exc_info=True)
         return
 
-    # skip non-record outputs
-    try:
-        output = getattr(target_attr, "__output__", "default") if hasattr(target_attr, "__output__") else None
-    except PluginError as e:
-        local_log.error("Plugin error while fetching an attribute", exc_info=e)
-        return
-
-    if output != "record":
-        local_log.warn("Output format is not supported", output=output)
+    if output_type != "record":
+        local_log.warn("Output format is not supported", output=output_type)
         return
 
     # no support for function-specific arguments
@@ -94,9 +89,9 @@ def execute_function(target: Target, function: str) -> Generator[TargetRecordDes
 
 def produce_target_func_pairs(
     targets: Iterable[Target],
-    functions: List[str],
+    functions: str,
     state: DumpState,
-) -> Generator[Tuple[Target, str], None, None]:
+) -> Iterator[tuple[Target, PluginFunction]]:
     """
     Return a generator with target and function pairs for execution.
 
@@ -107,20 +102,20 @@ def produce_target_func_pairs(
         pairs_to_skip.update((str(sink.target_path), sink.func) for sink in state.finished_sinks)
 
     for target in targets:
-        for func in functions:
-            if state and (target.path, func) in pairs_to_skip:
+        for func_def in find_and_filter_plugins(target, functions):
+            if state and (target.path, func_def.name) in pairs_to_skip:
                 log.info(
                     "Skipping target/func pair since its marked as done in provided state",
                     target=target.path,
-                    func=func,
+                    func=func_def.name,
                     state=state.path,
                 )
                 continue
-            yield (target, func)
-            state.mark_as_finished(target, func)
+            yield (target, func_def)
+            state.mark_as_finished(target, func_def.name)
 
 
-def execute_functions(target_func_stream: Iterable[Tuple[Target, str]]) -> Generator[RecordStreamElement, None, None]:
+def execute_functions(target_func_stream: Iterable[tuple[Target, str]]) -> Iterable[RecordStreamElement]:
     """
     Execute a function on a target for target / function pairs in the stream.
 
@@ -131,7 +126,7 @@ def execute_functions(target_func_stream: Iterable[Tuple[Target, str]]) -> Gener
             yield RecordStreamElement(target=target, func=func, record=record)
 
 
-def log_progress(stream: Iterable[Any], step_size: int = 1000) -> Generator[Any, None, None]:
+def log_progress(stream: Iterable[Any], step_size: int = 1000) -> Iterable[Any]:
     """
     Log a number of items that went though the generator stream
     after every N element (N is configured in `step_size`).
@@ -155,7 +150,7 @@ def log_progress(stream: Iterable[Any], step_size: int = 1000) -> Generator[Any,
 def sink_records(
     record_stream: Iterable[RecordStreamElement],
     state: DumpState,
-) -> Generator[RecordStreamElement, None, None]:
+) -> Iterator[RecordStreamElement]:
     """
     Persist records from the stream into appropriate sinks, per serialization, compression and record type.
     """
@@ -168,7 +163,7 @@ def sink_records(
 def persist_processing_state(
     record_stream: Iterable[RecordStreamElement],
     state: DumpState,
-) -> Generator[RecordStreamElement, None, None]:
+) -> Iterator[RecordStreamElement]:
     """
     Keep track of the pipeline state in a persistent state object.
     """
@@ -179,8 +174,8 @@ def persist_processing_state(
 
 
 def execute_pipeline(
-    targets: List[str],
-    functions: List[str],
+    targets: list[str],
+    functions: str,
     output_dir: Path,
     serialization: Serialization,
     compression: Optional[Compression] = None,
@@ -297,7 +292,7 @@ def main():
     try:
         execute_pipeline(
             targets=args.targets,
-            functions=args.function.split(","),
+            functions=args.function,
             output_dir=args.output,
             serialization=Serialization(args.serialization),
             compression=Compression(args.compression),

dissect/target/tools/dump/state.py

@@ -6,7 +6,7 @@ import json
 from contextlib import contextmanager
 from dataclasses import dataclass
 from pathlib import Path
-from typing import Any, Callable, Iterator, List, Optional, TextIO
+from typing import Any, Callable, Iterator, Optional, TextIO
 
 import structlog
 
@@ -35,17 +35,20 @@ class Sink:
     record_count: int = 0
     size_bytes: int = 0
 
+    def __post_init__(self):
+        self.func = getattr(self.func, "name", self.func)
+
 
 @dataclass
 class DumpState:
-    target_paths: List[str]
-    functions: List[str]
+    target_paths: list[str]
+    functions: list[str]
     serialization: str
     compression: str
     start_time: datetime.datetime
     last_update_time: datetime.datetime
 
-    sinks: List[Sink] = dataclasses.field(default_factory=list)
+    sinks: list[Sink] = dataclasses.field(default_factory=list)
 
     # Volatile properties
     output_dir: Optional[Path] = None
@@ -56,7 +59,7 @@ class DumpState:
         return sum(s.record_count for s in self.sinks)
 
     @property
-    def finished_sinks(self) -> List[Sink]:
+    def finished_sinks(self) -> list[Sink]:
         return [sink for sink in self.sinks if not sink.is_dirty]
 
     @property
@@ -178,7 +181,7 @@ class DumpState:
         state.output_dir = output_dir
         return state
 
-    def get_invalid_sinks(self) -> List[Sink]:
+    def get_invalid_sinks(self) -> list[Sink]:
         """Return sinks that have a mismatch between recorded size and a real file size"""
         invalid_sinks = []
         for sink in self.sinks:
@@ -214,8 +217,8 @@ class DumpState:
 def create_state(
     *,
     output_dir: Path,
-    target_paths: List[str],
-    functions: List[str],
+    target_paths: list[str],
+    functions: list[str],
     serialization: Serialization,
     compression: Compression = None,
 ) -> DumpState:

dissect/target/tools/dump/utils.py

@@ -32,6 +32,7 @@ from flow.record.adapter.jsonfile import JsonfileWriter
 from flow.record.jsonpacker import JsonRecordPacker
 
 from dissect.target import Target
+from dissect.target.plugin import PluginFunction
 
 log = structlog.get_logger(__name__)
 
@@ -69,14 +70,14 @@ def get_nested_attr(obj: Any, nested_attr: str) -> Any:
 
 
 @lru_cache(maxsize=DEST_DIR_CACHE_SIZE)
-def get_sink_dir_by_target(target: Target, function: str) -> Path:
-    func_first_name, _, _ = function.partition(".")
+def get_sink_dir_by_target(target: Target, function: PluginFunction) -> Path:
+    func_first_name, _, _ = function.name.partition(".")
     return Path(target.name) / func_first_name
 
 
 @functools.lru_cache(maxsize=DEST_DIR_CACHE_SIZE)
-def get_sink_dir_by_func(target: Target, function: str) -> Path:
-    func_first_name, _, _ = function.partition(".")
+def get_sink_dir_by_func(target: Target, function: PluginFunction) -> Path:
+    func_first_name, _, _ = function.name.partition(".")
     return Path(func_first_name) / target.name
 
 

dissect/target/tools/query.py

@@ -26,6 +26,7 @@ from dissect.target.tools.utils import (
     catch_sigpipe,
     configure_generic_arguments,
     execute_function_on_target,
+    find_and_filter_plugins,
     generate_argparse_for_bound_method,
     generate_argparse_for_plugin_class,
     generate_argparse_for_unbound_method,
@@ -172,8 +173,7 @@ def main():
         collected_plugins = {}
 
         if targets:
-            for target in targets:
-                plugin_target = Target.open(target)
+            for plugin_target in Target.open_all(targets, args.children):
                 if isinstance(plugin_target._loader, ProxyLoader):
                     parser.error("can't list compatible plugins for remote targets.")
                 funcs, _ = find_plugin_functions(plugin_target, args.list, compatibility=True, show_hidden=True)
@@ -270,25 +270,13 @@ def main():
             basic_entries = []
             yield_entries = []
 
-            # Keep a set of plugins that were already executed on the target.
-            executed_plugins = set()
-
             first_seen_output_type = default_output_type
             cli_params_unparsed = rest
 
-            func_defs, _ = find_plugin_functions(target, args.function, compatibility=False)
             excluded_funcs, _ = find_plugin_functions(target, args.excluded_functions, compatibility=False)
             excluded_func_paths = {excluded_func.path for excluded_func in excluded_funcs}
 
-            for func_def in func_defs:
-                if func_def.path in excluded_func_paths:
-                    continue
-
-                # Avoid executing same plugin for multiple OSes (like hostname)
-                if func_def.name in executed_plugins:
-                    continue
-                executed_plugins.add(func_def.name)
-
+            for func_def in find_and_filter_plugins(target, args.function, excluded_func_paths):
                 # If the default type is record (meaning we skip everything else)
                 # and actual output type is not record, continue.
                 # We perform this check here because plugins that require output files/dirs

dissect/target/tools/shell.py

@@ -31,12 +31,13 @@ from dissect.target.exceptions import (
     RegistryValueNotFoundError,
     TargetError,
 )
-from dissect.target.filesystem import FilesystemEntry, RootFilesystemEntry
+from dissect.target.filesystem import FilesystemEntry, LayerFilesystemEntry
 from dissect.target.helpers import cyber, fsutil, regutil
 from dissect.target.plugin import arg
 from dissect.target.target import Target
 from dissect.target.tools.info import print_target_info
 from dissect.target.tools.utils import (
+    args_to_uri,
     catch_sigpipe,
     configure_generic_arguments,
     generate_argparse_for_bound_method,
@@ -468,7 +469,7 @@ class TargetCli(TargetCmd):
                 # If we happen to scan an NTFS filesystem see if any of the
                 # entries has an alternative data stream and also list them.
                 entry = file_.get()
-                if isinstance(entry, RootFilesystemEntry):
+                if isinstance(entry, LayerFilesystemEntry):
                     if entry.entries.fs.__type__ == "ntfs":
                         attrs = entry.lattr()
                         for data_stream in attrs.DATA:
@@ -511,34 +512,66 @@ class TargetCli(TargetCmd):
     @arg("-l", action="store_true")
     @arg("-a", "--all", action="store_true")  # ignored but included for proper argument parsing
     @arg("-h", "--human-readable", action="store_true")
+    @arg("-R", "--recursive", action="store_true", help="recursively list subdirectories encountered")
+    @arg("-c", action="store_true", dest="use_ctime", help="show time when file status was last changed")
+    @arg("-u", action="store_true", dest="use_atime", help="show time of last access")
     def cmd_ls(self, args: argparse.Namespace, stdout: TextIO) -> Optional[bool]:
         """list directory contents"""
 
         path = self.resolve_path(args.path)
 
+        if args.use_ctime and args.use_atime:
+            print("can't specify -c and -u at the same time")
+            return
+
         if not path or not path.exists():
             return
 
+        self._print_ls(args, path, 0, stdout)
+
+    def _print_ls(self, args: argparse.Namespace, path: fsutil.TargetPath, depth: int, stdout: TextIO) -> None:
+        path = self.resolve_path(path)
+        subdirs = []
+
         if path.is_dir():
             contents = self.scandir(path, color=True)
         elif path.is_file():
             contents = [(path, path.name)]
 
+        if depth > 0:
+            print(f"\n{str(path)}:", file=stdout)
+
         if not args.l:
-            print("\n".join([name for _, name in contents]), file=stdout)
+            for target_path, name in contents:
+                print(name, file=stdout)
+                if target_path.is_dir():
+                    subdirs.append(target_path)
         else:
             if len(contents) > 1:
                 print(f"total {len(contents)}", file=stdout)
             for target_path, name in contents:
-                self.print_extensive_file_stat(stdout=stdout, target_path=target_path, name=name)
+                self.print_extensive_file_stat(args=args, stdout=stdout, target_path=target_path, name=name)
+                if target_path.is_dir():
+                    subdirs.append(target_path)
+
+        if args.recursive and subdirs:
+            for subdir in subdirs:
+                self._print_ls(args, subdir, depth + 1, stdout)
 
-    def print_extensive_file_stat(self, stdout: TextIO, target_path: fsutil.TargetPath, name: str) -> None:
+    def print_extensive_file_stat(
+        self, args: argparse.Namespace, stdout: TextIO, target_path: fsutil.TargetPath, name: str
+    ) -> None:
         """Print the file status."""
         try:
             entry = target_path.get()
             stat = entry.lstat()
             symlink = f" -> {entry.readlink()}" if entry.is_symlink() else ""
-            utc_time = datetime.datetime.utcfromtimestamp(stat.st_mtime).isoformat()
+            show_time = stat.st_mtime
+            if args.use_ctime:
+                show_time = stat.st_ctime
+            elif args.use_atime:
+                show_time = stat.st_atime
+            utc_time = datetime.datetime.utcfromtimestamp(show_time).isoformat()
 
             print(
                 f"{stat_modestr(stat)} {stat.st_uid:4d} {stat.st_gid:4d} {stat.st_size:6d} {utc_time} {name}{symlink}",
@@ -1223,10 +1256,17 @@ def main() -> None:
     parser.add_argument("targets", metavar="TARGETS", nargs="*", help="targets to load")
     parser.add_argument("-p", "--python", action="store_true", help="(I)Python shell")
     parser.add_argument("-r", "--registry", action="store_true", help="registry shell")
+    parser.add_argument(
+        "-L",
+        "--loader",
+        action="store",
+        default=None,
+        help="select a specific loader (i.e. vmx, raw)",
+    )
 
     configure_generic_arguments(parser)
-    args = parser.parse_args()
-
+    args, rest = parser.parse_known_args()
+    args.targets = args_to_uri(args.targets, args.loader, rest) if args.loader else args.targets
     process_generic_arguments(args)
 
     # For the shell tool we want -q to log slightly more then just CRITICAL