dissect.target 3.17.dev15__py3-none-any.whl → 3.17.dev18__py3-none-any.whl

dissect/target/container.py

@@ -258,3 +258,4 @@ register("vdi", "VdiContainer")
 register("hdd", "HddContainer")
 register("hds", "HdsContainer")
 register("split", "SplitContainer")
+register("fortifw", "FortiFirmwareContainer")

dissect/target/containers/fortifw.py

@@ -0,0 +1,190 @@
+from __future__ import annotations
+
+import gzip
+import io
+import logging
+import zlib
+from itertools import cycle, islice
+from pathlib import Path
+from typing import BinaryIO
+
+from dissect.util.stream import AlignedStream, RangeStream, RelativeStream
+
+from dissect.target.container import Container
+from dissect.target.tools.utils import catch_sigpipe
+
+log = logging.getLogger(__name__)
+
+
+def find_xor_key(fh: BinaryIO) -> bytes:
+    """Find the XOR key for the firmware file by using known plaintext of zeros.
+
+    File-like object ``fh`` must be seeked to the correct offset where it should decode to all zeroes (0x00).
+
+    Arguments:
+        fh: File-like object to read from.
+
+    Returns:
+        bytes: XOR key, note that the XOR key is not validated and may be incorrect.
+    """
+    key = bytearray()
+
+    pos = fh.tell()
+    buf = fh.read(32)
+    fh.seek(pos)
+
+    if pos % 512 == 0:
+        xor_char = 0xFF
+    else:
+        fh.seek(pos - 1)
+        xor_char = ord(fh.read(1))
+
+    for i, k_char in enumerate(buf):
+        idx = (i + pos) & 0x1F
+        key.append((xor_char ^ k_char ^ idx) & 0xFF)
+        xor_char = k_char
+
+    # align xor key
+    koffset = 32 - (pos & 0x1F)
+    key = islice(cycle(key), koffset, koffset + 32)
+    return bytes(key)
+
+
+class FortiFirmwareFile(AlignedStream):
+    """Fortinet firmware file, handles transparant decompression and deobfuscation of the firmware file."""
+
+    def __init__(self, fh: BinaryIO):
+        self.fh = fh
+        self.trailer_offset = None
+        self.trailer_data = None
+        self.xor_key = None
+        self.is_gzipped = False
+
+        size = None
+
+        # Check if the file is gzipped
+        self.fh.seek(0)
+        header = self.fh.read(4)
+        if header.startswith(b"\x1f\x8b"):
+            self.is_gzipped = True
+
+            # Find the extra metadata behind the gzip compressed data
+            # as a bonus we can also calculate the size of the firmware here
+            dec = zlib.decompressobj(wbits=16 + zlib.MAX_WBITS)
+            self.fh.seek(0)
+            size = 0
+            while True:
+                data = self.fh.read(io.DEFAULT_BUFFER_SIZE)
+                if not data:
+                    break
+                d = dec.decompress(dec.unconsumed_tail + data)
+                size += len(d)
+
+            # Ignore the trailer data of the gzip file if we have any
+            if dec.unused_data:
+                self.trailer_offset = self.fh.seek(-len(dec.unused_data), io.SEEK_END)
+                self.trailer_data = self.fh.read()
+                log.info("Found trailer offset: %d, data: %r", self.trailer_offset, self.trailer_data)
+                self.fh = RangeStream(self.fh, 0, self.trailer_offset)
+
+            self.fh.seek(0)
+            self.fh = gzip.GzipFile(fileobj=self.fh)
+
+        # Find the xor key based on known offsets where the firmware should decode to zero bytes
+        for zero_offset in (0x30, 0x40, 0x400):
+            self.fh.seek(zero_offset)
+            xor_key = find_xor_key(self.fh)
+            if xor_key.isalnum():
+                self.xor_key = xor_key
+                log.info("Found key %r @ offset %s", self.xor_key, zero_offset)
+                break
+        else:
+            log.info("No xor key found")
+
+        # Determine the size of the firmware file if we didn't calculate it yet
+        if size is None:
+            size = self.fh.seek(0, io.SEEK_END)
+
+        log.info("firmware size: %s", size)
+        log.info("xor key: %r", self.xor_key)
+        log.info("gzipped: %s", self.is_gzipped)
+        self.fh.seek(0)
+
+        # Align the stream to 512 bytes which simplifies the XOR deobfuscation code
+        super().__init__(size=size, align=512)
+
+    def _read(self, offset: int, length: int) -> bytes:
+        self.fh.seek(offset)
+        buf = self.fh.read(length)
+
+        if not self.xor_key:
+            return buf
+
+        buf = bytearray(buf)
+        xor_char = 0xFF
+        for i, cur_char in enumerate(buf):
+            if (i + offset) % 512 == 0:
+                xor_char = 0xFF
+            idx = (i + offset) & 0x1F
+            buf[i] = ((self.xor_key[idx] ^ cur_char ^ xor_char) - idx) & 0xFF
+            xor_char = cur_char
+
+        return bytes(buf)
+
+
+class FortiFirmwareContainer(Container):
+    __type__ = "fortifw"
+
+    def __init__(self, fh: BinaryIO | Path, *args, **kwargs):
+        if not hasattr(fh, "read"):
+            fh = fh.open("rb")
+
+        # Open the firmware file
+        self.ff = FortiFirmwareFile(fh)
+
+        # seek to MBR
+        self.fw = RelativeStream(self.ff, 0x200)
+        super().__init__(self.fw, self.ff.size, *args, **kwargs)
+
+    @staticmethod
+    def detect_fh(fh: BinaryIO, original: list | BinaryIO) -> bool:
+        return False
+
+    @staticmethod
+    def detect_path(path: Path, original: list | BinaryIO) -> bool:
+        # all Fortinet firmware files end with `-FORTINET.out`
+        return str(path).lower().endswith("-fortinet.out")
+
+    def read(self, length: int) -> bytes:
+        return self.fw.read(length)
+
+    def seek(self, offset: int, whence: int = io.SEEK_SET) -> int:
+        return self.fw.seek(offset, whence)
+
+    def tell(self) -> int:
+        return self.fw.tell()
+
+    def close(self) -> None:
+        pass
+
+
+@catch_sigpipe
+def main(argv: list[str] | None = None) -> None:
+    import argparse
+    import shutil
+    import sys
+
+    parser = argparse.ArgumentParser(description="Decompress and deobfuscate Fortinet firmware file to stdout.")
+    parser.add_argument("file", type=argparse.FileType("rb"), help="Fortinet firmware file")
+    parser.add_argument("--verbose", "-v", action="store_true", help="verbose output")
+    args = parser.parse_args(argv)
+
+    if args.verbose:
+        logging.basicConfig(level=logging.INFO)
+
+    ff = FortiFirmwareFile(args.file)
+    shutil.copyfileobj(ff, sys.stdout.buffer)
+
+
+if __name__ == "__main__":
+    main()

{dissect.target-3.17.dev15.dist-info → dissect.target-3.17.dev18.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.17.dev15
+Version: 3.17.dev18
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.17.dev15.dist-info → dissect.target-3.17.dev18.dist-info}/RECORD

@@ -1,5 +1,5 @@
 dissect/target/__init__.py,sha256=Oc7ounTgq2hE4nR6YcNabetc7SQA40ldSa35VEdZcQU,63
-dissect/target/container.py,sha256=9ixufT1_0WhraqttBWwQjG80caToJqvCX8VjFk8d5F0,9307
+dissect/target/container.py,sha256=0YcwcGmfJjhPXUB6DEcjWEoSuAtTDxMDpoTviMrLsxM,9353
 dissect/target/exceptions.py,sha256=VVW_Rq_vQinapz-2mbJ3UkxBEZpb2pE_7JlhMukdtrY,2877
 dissect/target/filesystem.py,sha256=VD1BA6hLqH_FPWFZ-wliEuCxnFrUK61S9VbGK7CtA5w,55597
 dissect/target/loader.py,sha256=_mrMOzKdpb7nlZJpLENOLuU4Ty92PzJem9GFDuo0PK4,7298
@@ -10,6 +10,7 @@ dissect/target/volume.py,sha256=aQZAJiny8jjwkc9UtwIRwy7nINXjCxwpO-_UDfh6-BA,1580
 dissect/target/containers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/containers/asdf.py,sha256=DJp0QEFwUjy2MFwKYcYqIR_BS1fQT1Yi9Kcmqt0aChM,1366
 dissect/target/containers/ewf.py,sha256=FTEPZpogDzymrbAeSnLuHNNStifLzNVhUvtbEMOyo0E,1342
+dissect/target/containers/fortifw.py,sha256=2Ga89c0qPguHAPigcte8wptgF2aM9qfPTZHddkfQ8J4,5874
 dissect/target/containers/hdd.py,sha256=Y1qYpk3GePCpq2HZIyqyoGch7nzN8aeI3zWG3UGhf5o,1069
 dissect/target/containers/hds.py,sha256=xijSUSRM392Ckc9QsOsvjx7PMyeoR4qOlWGG0w4nqUU,1145
 dissect/target/containers/qcow2.py,sha256=FtXLZA-Xkegbv--dStusQntUiDqM1idSFWMtJRiL7eM,1128
@@ -335,10 +336,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.17.dev15.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.17.dev15.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.17.dev15.dist-info/METADATA,sha256=Mz0QnC-O5ciS0rb8W_3OHKS9X9i4WjnzDJWZrLeePoI,11300
-dissect.target-3.17.dev15.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-dissect.target-3.17.dev15.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.17.dev15.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.17.dev15.dist-info/RECORD,,
+dissect.target-3.17.dev18.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.17.dev18.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.17.dev18.dist-info/METADATA,sha256=hkVxbE5ESL9e5xGrI4YY5UYYKF66WwuUIgRb8XRsaaQ,11300
+dissect.target-3.17.dev18.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+dissect.target-3.17.dev18.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.17.dev18.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.17.dev18.dist-info/RECORD,,