dissect.target 3.17.dev37__py3-none-any.whl → 3.18__py3-none-any.whl

dissect/target/plugins/os/unix/etc/etc.py

@@ -0,0 +1,77 @@
+import fnmatch
+import logging
+import re
+from pathlib import Path
+from typing import Iterator
+
+from dissect.target import Target
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import arg, export
+from dissect.target.plugins.general.config import (
+    ConfigurationEntry,
+    ConfigurationTreePlugin,
+)
+
+UnixConfigTreeRecord = TargetRecordDescriptor(
+    "unix/config",
+    [
+        ("path", "source"),
+        ("path", "path"),
+        ("string", "key"),
+        ("string[]", "value"),
+    ],
+)
+
+log = logging.getLogger(__name__)
+
+
+class EtcTree(ConfigurationTreePlugin):
+    __namespace__ = "etc"
+
+    def __init__(self, target: Target):
+        super().__init__(target, "/etc")
+
+    def _sub(self, items: ConfigurationEntry, entry: Path, pattern: str) -> Iterator[UnixConfigTreeRecord]:
+        index = 0
+        config_entry = items
+        if not isinstance(items, dict):
+            items = items.as_dict()
+
+        for raw_key, value in items.items():
+            key = re.sub(r"[\n\r\t]", "", raw_key)
+            path = Path(entry) / Path(key)
+
+            if isinstance(value, dict):
+                yield from self._sub(value, path, pattern)
+                continue
+
+            if not isinstance(value, list):
+                value = [str(value)]
+
+            if fnmatch.fnmatch(path, pattern):
+                data = {
+                    "_target": self.target,
+                    "source": self.target.fs.path(config_entry.entry.path),
+                    "path": path,
+                    "key": key,
+                    "value": value,
+                }
+                if value == [""]:
+                    data["key"] = index
+                    data["value"] = [key]
+                    index += 1
+
+                yield UnixConfigTreeRecord(**data)
+
+    @export(record=UnixConfigTreeRecord)
+    @arg("--glob", dest="pattern", required=False, default="*", type=str, help="Glob-style pattern to search for")
+    def etc(self, pattern: str) -> Iterator[UnixConfigTreeRecord]:
+        for entry, subs, items in self.config_fs.walk("/"):
+            for item in items:
+                try:
+                    config_object = self.get(str(Path(entry) / Path(item)))
+                    if isinstance(config_object, ConfigurationEntry):
+                        yield from self._sub(config_object, Path(entry) / Path(item), pattern)
+                except Exception:
+                    log.warning("Could not open configuration item: %s", item)
+                    pass

dissect/target/plugins/os/unix/history.py

@@ -52,7 +52,7 @@ class CommandHistoryPlugin(Plugin):
         for user_details in self.target.user_details.all_with_home():
             for shell, history_relative_path in self.COMMAND_HISTORY_RELATIVE_PATHS:
                 history_path = user_details.home_path.joinpath(history_relative_path)
-                if history_path.exists():
+                if history_path.is_file():
                     history_files.append((shell, history_path, user_details.user))
         return history_files
 

dissect/target/plugins/os/unix/linux/cmdline.py

@@ -29,6 +29,9 @@ class CmdlinePlugin(Plugin):
         Think of this output as the command line that the process wants you to see.
 
         Yields CmdlineRecord with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The starttime of the process.

dissect/target/plugins/os/unix/linux/environ.py

@@ -27,6 +27,9 @@ class EnvironPlugin(Plugin):
         the environ(7) variable directly), this plugin will not reflect those changes.
 
         Yields EnvironmentVariableRecord with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The modification timestamp of the processes' environ file.

dissect/target/plugins/os/unix/linux/processes.py

@@ -29,6 +29,9 @@ class ProcProcesses(Plugin):
         Each ``/proc/[pid]`` subdirectory contains various pseudo-files.
 
         Yields ProcProcessRecord with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The start time of the process.

dissect/target/plugins/os/unix/linux/sockets.py

@@ -78,6 +78,9 @@ class NetSocketPlugin(Plugin):
         """This plugin yields the packet sockets and available stats associated with them.
 
         Yields PacketSocketRecord with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             protocol (int): The captured protocol i.e. 0003 is ETH_P_ALL
@@ -101,6 +104,9 @@ class NetSocketPlugin(Plugin):
         """This plugin yields the unix sockets and available stats associated with them.
 
         Yields UnixSocketRecord with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             protocol (string): The protocol used by the socket.
@@ -117,6 +123,9 @@ class NetSocketPlugin(Plugin):
         """This plugin yields the raw and raw6 sockets and available stats associated with them.
 
         Yields NetSocketRecord with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             protocol (string): The protocol used by the socket.
@@ -140,6 +149,9 @@ class NetSocketPlugin(Plugin):
         """This plugin yields the udp and udp6 sockets and available stats associated with them.
 
         Yields NetSocketRecord with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             protocol (string): The protocol used by the socket.
@@ -163,6 +175,9 @@ class NetSocketPlugin(Plugin):
         """This plugin yields the tcp and tcp6 sockets and available stats associated with them.
 
         Yields NetSocketRecord with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             protocol (string): The protocol used by the socket.

dissect/target/plugins/os/unix/locate/gnulocate.py

@@ -26,8 +26,7 @@ GNULocateRecord = TargetRecordDescriptor(
     ],
 )
 
-c_gnulocate = cstruct()
-c_gnulocate.load(gnulocate_def)
+c_gnulocate = cstruct().load(gnulocate_def)
 
 
 class GNULocateFile:

dissect/target/plugins/os/unix/locate/mlocate.py

@@ -20,10 +20,10 @@ struct header_config {
     int32 conf_size;
     int8 version;                            /* file format version */
     int8 require_visibility;
-    int8 pad[2];                             /* 32-bit total alignment */
+    int8 pad0[2];                             /* 32-bit total alignment */
     char root_database;
     char config_block[conf_size];
-    int8 pad;
+    int8 pad1;
 };
 
 enum DBE_TYPE: uint8 {                       /* database entry type */
@@ -68,8 +68,7 @@ MLocateRecord = TargetRecordDescriptor(
     ],
 )
 
-c_mlocate = cstruct(endian=">")
-c_mlocate.load(mlocate_def)
+c_mlocate = cstruct(endian=">").load(mlocate_def)
 
 
 class MLocateFile:

dissect/target/plugins/os/unix/locate/plocate.py

@@ -1,8 +1,7 @@
 from __future__ import annotations
 
 import platform
-from io import BytesIO
-from typing import BinaryIO, Iterable
+from typing import BinaryIO, Iterator
 
 from dissect.cstruct import cstruct
 from dissect.util.stream import RangeStream
@@ -13,7 +12,11 @@ from dissect.target.plugin import export
 from dissect.target.plugins.os.unix.locate.locate import BaseLocatePlugin
 
 try:
-    import zstandard  # noqa
+    from zstandard import (
+        DECOMPRESSION_RECOMMENDED_OUTPUT_SIZE,
+        ZstdCompressionDict,
+        ZstdDecompressor,
+    )
 
     HAS_ZSTD = True
 except ImportError:
@@ -32,7 +35,7 @@ struct header {
     uint64_t filename_index_offset_bytes;
 
     /* Version 1 and up only. */
-    uint32_t max_version;
+    uint32_t max_version;   // Nominally 1 or 2, but can be increased if more features are added in a backward-compatible way.
     uint32_t zstd_dictionary_length_bytes;
     uint64_t zstd_dictionary_offset_bytes;
 
@@ -44,6 +47,7 @@ struct header {
     uint64_t conf_block_length_bytes;
     uint64_t conf_block_offset_bytes;
 
+    // Only if max_version >= 2.
     uint8_t check_visibility;
     char padding[7];                         /* padding for alignment */
 };
@@ -51,7 +55,7 @@ struct header {
 struct file {
     char path[];
 };
-"""
+"""  # noqa : E501
 
 PLocateRecord = TargetRecordDescriptor(
     "linux/locate/plocate",
@@ -61,8 +65,7 @@ PLocateRecord = TargetRecordDescriptor(
     ],
 )
 
-c_plocate = cstruct()
-c_plocate.load(plocate_def)
+c_plocate = cstruct().load(plocate_def)
 
 
 class PLocateFile:
@@ -104,40 +107,46 @@ class PLocateFile:
         self.dict_data = None
 
         if self.header.zstd_dictionary_offset_bytes:
-            self.dict_data = zstandard.ZstdCompressionDict(self.fh.read(self.header.zstd_dictionary_length_bytes))
+            self.dict_data = ZstdCompressionDict(self.fh.read(self.header.zstd_dictionary_length_bytes))
 
         self.compressed_length_bytes = (
             self.header.filename_index_offset_bytes - self.HEADER_SIZE - self.header.zstd_dictionary_length_bytes
         )
-        self.ctx = zstandard.ZstdDecompressor(dict_data=self.dict_data)
+        self.ctx = ZstdDecompressor(dict_data=self.dict_data)
         self.buf = RangeStream(self.fh, self.fh.tell(), self.compressed_length_bytes)
 
-    def __iter__(self) -> Iterable[PLocateFile]:
+    def __iter__(self) -> Iterator[PLocateFile]:
         # NOTE: This is a workaround for a PyPy bug
         # We don't know what breaks, but PyPy + zstandard = unhappy times
         # You just get random garbage data back instead of the decompressed data
         # This weird dance of using a decompressobj and unused data is the only way that seems to work
         # It's more expensive on memory, but at least it doesn't break
         if platform.python_implementation() == "PyPy":
-            obj = self.ctx.decompressobj()
             buf = self.buf.read()
 
-            tmp = obj.decompress(buf)
-            while unused_data := obj.unused_data:
-                obj = self.ctx.decompressobj()
-                tmp += obj.decompress(unused_data)
+            def reader(ctx: ZstdDecompressor) -> Iterator[bytes]:
+                obj = ctx.decompressobj()
 
-            reader = BytesIO(tmp)
+                yield obj.decompress(buf)
+                while unused_data := obj.unused_data:
+                    obj = self.ctx.decompressobj()
+                    yield obj.decompress(unused_data)
+
+            it = reader(self.ctx)
         else:
-            reader = self.ctx.stream_reader(self.buf)
-
-        with reader:
-            try:
-                while True:
-                    file = c_plocate.file(reader)
-                    yield file.path.decode(errors="surrogateescape")
-            except EOFError:
-                return
+            # NOTE: The end of a zstandard frame does not include a final `0x00`.
+            # This causes the c_plocate `file` struct to parse the last path and the first path on the next frame as one
+            # since cstruct will read it across frame boundaries waiting for a `0x00`.
+            def reader() -> Iterator[bytes]:
+                with self.ctx.stream_reader(self.buf) as reader:
+                    while chunk := reader.read(DECOMPRESSION_RECOMMENDED_OUTPUT_SIZE):
+                        yield chunk
+
+            it = reader()
+
+        for chunk in it:
+            for path in chunk.split(b"\x00"):
+                yield path.decode(errors="surrogateescape")
 
     def filename_index(self) -> bytes:
         """Return the filename index of the plocate.db file."""

dissect/target/plugins/os/unix/log/atop.py

@@ -2,7 +2,7 @@ import zlib
 from io import BytesIO
 from typing import BinaryIO, Iterator
 
-from dissect.cstruct import Instance, cstruct
+from dissect.cstruct import cstruct
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
@@ -178,8 +178,7 @@ struct tstat {
 };
 """  # noqa: E501
 
-c_atop = cstruct()
-c_atop.load(atop_def)
+c_atop = cstruct().load(atop_def)
 c_atop.load(atop_tstat_def, align=True)
 
 AtopRecord = TargetRecordDescriptor(
@@ -226,7 +225,7 @@ class AtopFile:
         self.header = c_atop.rawheader(self.fh)
         self.version = self.version()
 
-    def __iter__(self) -> Iterator[Instance]:
+    def __iter__(self) -> Iterator[c_atop.tstat]:
         while True:
             try:
                 record = c_atop.rawrecord(self.fh)
@@ -270,6 +269,9 @@ class AtopPlugin(Plugin):
             - https://diablohorn.com/2022/11/17/parsing-atop-files-with-python-dissect-cstruct/
 
         Yields AtopRecord with fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             process (string): The process name.
             cmdline (string): The command-line of the process.

dissect/target/plugins/os/unix/log/journal.py

@@ -1,8 +1,10 @@
+from __future__ import annotations
+
 import lzma
 from typing import BinaryIO, Callable, Iterator
 
 import zstandard
-from dissect.cstruct import Instance, cstruct
+from dissect.cstruct import cstruct
 from dissect.util import ts
 from dissect.util.compression import lz4
 
@@ -252,8 +254,7 @@ struct EntryArrayObject_Compact {
 };
 """  # noqa: E501
 
-c_journal = cstruct()
-c_journal.load(journal_def)
+c_journal = cstruct().load(journal_def)
 
 
 def get_optional(value: str, to_type: Callable):
@@ -314,7 +315,7 @@ class JournalFile:
 
         return key, value
 
-    def __iter__(self) -> Iterator[Instance]:
+    def __iter__(self) -> Iterator[dict[str, int | str]]:
         "Iterate over the entry objects to read payloads."
 
         for offset in self.entry_object_offsets():

dissect/target/plugins/os/unix/log/lastlog.py

@@ -1,6 +1,6 @@
 from typing import BinaryIO
 
-from dissect import cstruct
+from dissect.cstruct import cstruct
 from dissect.util import ts
 
 from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
@@ -36,8 +36,7 @@ struct entry {
 };
 """
 
-c_lastlog = cstruct.cstruct()
-c_lastlog.load(lastlog_def)
+c_lastlog = cstruct().load(lastlog_def)
 
 
 class LastLogFile:

dissect/target/plugins/os/unix/log/utmp.py

@@ -39,14 +39,14 @@ WtmpRecord = TargetRecordDescriptor(
     ],
 )
 
-c_utmp = """
+utmp_def = """
 #define UT_LINESIZE     32
 #define UT_NAMESIZE     32
 #define UT_HOSTSIZE     256
 
 typedef uint32 pid_t;
 
-enum Type : char {
+enum Type : uint8_t {
     EMPTY           = 0x0,
     RUN_LVL         = 0x1,
     BOOT_TIME       = 0x2,
@@ -84,8 +84,7 @@ struct entry {
 };
 """  # noqa: E501
 
-utmp = cstruct()
-utmp.load(c_utmp)
+c_utmp = cstruct().load(utmp_def)
 
 UTMP_ENTRY = namedtuple(
     "UTMPRecord",
@@ -122,11 +121,11 @@ class UtmpFile:
 
         while True:
             try:
-                entry = utmp.entry(byte_stream)
+                entry = c_utmp.entry(byte_stream)
 
                 r_type = ""
-                if entry.ut_type in utmp.Type.reverse:
-                    r_type = utmp.Type.reverse[entry.ut_type]
+                if entry.ut_type in c_utmp.Type:
+                    r_type = c_utmp.Type(entry.ut_type).name
 
                 ut_host = entry.ut_host.decode(errors="surrogateescape").strip("\x00")
                 ut_addr = None

dissect/target/plugins/os/windows/_os.py

@@ -21,7 +21,7 @@ class WindowsPlugin(OSPlugin):
         self.add_mounts()
 
         target.props["sysvol_drive"] = next(
-            (mnt for mnt, fs in target.fs.mounts.items() if fs is target.fs.mounts["sysvol"] and mnt != "sysvol"),
+            (mnt for mnt, fs in target.fs.mounts.items() if fs is target.fs.mounts.get("sysvol") and mnt != "sysvol"),
             None,
         )
 
@@ -78,13 +78,16 @@ class WindowsPlugin(OSPlugin):
             self.target.log.warning("Failed to map drive letters")
             self.target.log.debug("", exc_info=e)
 
+        sysvol_drive = self.target.fs.mounts.get("sysvol")
         # Fallback mount the sysvol to C: if we didn't manage to mount it to any other drive letter
-        if operator.countOf(self.target.fs.mounts.values(), self.target.fs.mounts["sysvol"]) == 1:
+        if sysvol_drive and operator.countOf(self.target.fs.mounts.values(), sysvol_drive) == 1:
             if "c:" not in self.target.fs.mounts:
                 self.target.log.debug("Unable to determine drive letter of sysvol, falling back to C:")
-                self.target.fs.mount("c:", self.target.fs.mounts["sysvol"])
+                self.target.fs.mount("c:", sysvol_drive)
             else:
                 self.target.log.warning("Unknown drive letter for sysvol")
+        else:
+            self.target.log.warning("No sysvol drive found")
 
     @export(property=True)
     def hostname(self) -> Optional[str]:
@@ -244,13 +247,21 @@ class WindowsPlugin(OSPlugin):
         if any(map(lambda value: value is not None, version_parts.values())):
             version = []
 
+            nt_version = _part_str(version_parts, "CurrentVersion")
+            build_version = _part_str(version_parts, "CurrentBuildNumber")
             prodcut_name = _part_str(version_parts, "ProductName")
-            version.append(prodcut_name)
 
-            nt_version = _part_str(version_parts, "CurrentVersion")
+            # CurrentBuildNumber >= 22000 on NT 10.0 indicates Windows 11.
+            # https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information
+            try:
+                if nt_version == "10.0" and int(build_version) >= 22_000:
+                    prodcut_name = prodcut_name.replace("Windows 10", "Windows 11")
+            except ValueError:
+                pass
+
+            version.append(prodcut_name)
             version.append(f"(NT {nt_version})")
 
-            build_version = _part_str(version_parts, "CurrentBuildNumber")
             ubr = version_parts["UBR"]
             if ubr:
                 build_version = f"{build_version}.{ubr}"

dissect/target/plugins/os/windows/activitiescache.py

@@ -77,6 +77,9 @@ class ActivitiesCachePlugin(Plugin):
             - https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/
 
         Yields ActivitiesCacheRecords with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             start_time (datetime): StartTime field.

dissect/target/plugins/os/windows/adpolicy.py

@@ -1,7 +1,7 @@
 from struct import unpack
 
 from defusedxml import ElementTree
-from dissect import cstruct
+from dissect.cstruct import cstruct
 from dissect.regf.c_regf import (
     REG_BINARY,
     REG_DWORD,
@@ -18,14 +18,13 @@ from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
 
-c_def = """
+policy_def = """
 struct registry_policy_header {
     uint32   signature;
     uint32   version;
 };
 """
-c_adpolicy = cstruct.cstruct()
-c_adpolicy.load(c_def)
+c_adpolicy = cstruct().load(policy_def)
 
 ADPolicyRecord = TargetRecordDescriptor(
     "windows/adpolicy",

dissect/target/plugins/os/windows/catroot.py

@@ -105,6 +105,9 @@ class CatrootPlugin(Plugin):
             - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files
 
         Yields CatrootRecords with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             digest (digest): The parsed digest.
@@ -210,6 +213,9 @@ class CatrootPlugin(Plugin):
             - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files
 
         Yields CatrootRecords with the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             digest (digest): The parsed digest.

dissect/target/plugins/os/windows/credhist.py

@@ -53,8 +53,7 @@ struct entry {
 };
 """
 
-c_credhist = cstruct()
-c_credhist.load(credhist_def)
+c_credhist = cstruct().load(credhist_def)
 
 
 @dataclass

dissect/target/plugins/os/windows/datetime.py

@@ -3,7 +3,7 @@ from collections import namedtuple
 from datetime import datetime, timedelta, timezone, tzinfo
 from typing import Dict, Tuple
 
-from dissect import cstruct
+from dissect.cstruct import cstruct
 
 from dissect.target.exceptions import (
     RegistryError,
@@ -34,8 +34,7 @@ typedef struct _REG_TZI_FORMAT {
     SYSTEMTIME DaylightDate;
 } REG_TZI_FORMAT;
 """
-c_tz = cstruct.cstruct()
-c_tz.load(tz_def)
+c_tz = cstruct().load(tz_def)
 
 
 # Althoug calendar.SUNDAY is only officially documented since Python 3.10, it
@@ -63,7 +62,7 @@ ZERO = timedelta(0)
 HOUR = timedelta(hours=1)
 
 
-def parse_systemtime_transition(systemtime: cstruct.Instance, year: int) -> datetime:
+def parse_systemtime_transition(systemtime: c_tz._SYSTEMTIME, year: int) -> datetime:
     """Return the transition datetime for a given year using the SYSTEMTIME of a STD or DST transition date.
 
     The SYSTEMTIME date of a TZI structure needs to be used to calculate the actual date for a given year.