dissect.target 3.17.dev37__py3-none-any.whl → 3.18__py3-none-any.whl

dissect/target/plugins/os/windows/defender_helpers/defender_records.py

@@ -0,0 +1,191 @@
+from dissect.target.helpers.record import TargetRecordDescriptor
+
+DefenderMPLogProcessImageRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/processimage",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "process_image_name"),
+        ("varint", "pid"),
+        ("varint", "total_time"),
+        ("varint", "count"),
+        ("varint", "max_time"),
+        ("string", "max_time_file"),
+        ("varint", "estimated_impact"),
+    ],
+)
+
+DefenderMPLogMinFilUSSRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/minfiluss",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("path", "path"),
+        ("string", "process"),
+        ("string", "status"),
+        ("string", "state"),
+        ("string", "scan_request"),
+        ("string", "file_id"),
+        ("string", "reason"),
+        ("string", "io_status_block_for_new_file"),
+        ("string", "desired_access"),
+        ("string", "file_attributes"),
+        ("string", "scan_attributes"),
+        ("string", "access_state_flags"),
+        ("string", "backing_file_info"),
+    ],
+)
+
+DefenderMPLogMinFilBlockedFileRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/blockedfile",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "blocked_file"),
+        ("string", "process"),
+        ("string", "status"),
+        ("string", "state"),
+        ("string", "scan_request"),
+        ("string", "file_id"),
+        ("string", "reason"),
+        ("string", "io_status_block_for_new_file"),
+        ("string", "desired_access"),
+        ("string", "file_attributes"),
+        ("string", "scan_attributes"),
+        ("string", "access_state_flags"),
+        ("string", "backing_file_info"),
+    ],
+)
+
+
+DefenderMPLogBMTelemetryRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/bmtelemetry",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "guid"),
+        ("varint", "signature_id"),
+        ("string", "sigsha"),
+        ("varint", "threat_level"),
+        ("varint", "process_id"),
+        ("varint", "process_creation_time"),
+        ("varint", "session_id"),
+        ("path", "image_path"),
+        ("string", "taint_info"),
+        ("string", "operations"),
+    ],
+)
+
+DefenderMPLogEMSRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/ems",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "process"),
+        ("varint", "pid"),
+        ("string", "sigseq"),
+        ("varint", "send_memory_scan_report"),
+        ("varint", "source"),
+    ],
+)
+
+DefenderMPLogOriginalFileNameRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/originalfilename",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "original_file_name"),
+        ("path", "full_path"),
+        ("string", "hr"),
+    ],
+)
+
+DefenderMPLogExclusionRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/exclusion",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("path", "full_path_with_drive_letter"),
+        ("path", "full_path_with_device_path"),
+    ],
+)
+
+DefenderMPLogLowfiRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/lowfi",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("command", "lowfi"),
+    ],
+)
+
+DefenderMPLogDetectionAddRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/detectionadd",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "detection"),
+    ],
+)
+
+
+DefenderMPLogThreatRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/threat",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("command", "threat"),
+    ],
+)
+
+DefenderMPLogDetectionEventRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/detectionevent",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "threat_type"),
+        ("command", "command"),
+    ],
+)
+
+DefenderMPLogResourceScanRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/resourcescan",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string", "scan_id"),
+        ("varint", "scan_source"),
+        ("datetime", "start_time"),
+        ("datetime", "end_time"),
+        ("string", "resource_schema"),
+        ("path", "resource_path"),
+        ("varint", "result_count"),
+        ("string[]", "threats"),
+        ("path[]", "resources"),
+    ],
+)
+
+DefenderMPLogThreatActionRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/threataction",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("string[]", "threats"),
+        ("path[]", "resources"),
+        ("string[]", "actions"),
+    ],
+)
+
+DefenderMPLogRTPRecord = TargetRecordDescriptor(
+    "windows/defender/mplog/rtp_log",
+    [
+        ("datetime", "ts"),
+        ("path", "source_log"),
+        ("datetime", "last_perf"),
+        ("datetime", "first_rtp_scan"),
+        ("string", "plugin_states"),
+        ("path[]", "process_exclusions"),
+        ("path[]", "path_exclusions"),
+        ("string[]", "ext_exclusions"),
+    ],
+)

dissect/target/plugins/os/windows/dpapi/blob.py

@@ -36,8 +36,7 @@ struct DPAPIBlob {
 };
 """
 
-c_blob = cstruct()
-c_blob.load(blob_def)
+c_blob = cstruct().load(blob_def)
 
 
 class Blob:

dissect/target/plugins/os/windows/dpapi/master_key.py

@@ -29,7 +29,7 @@ struct DomainKey {
     DWORD   accessCheckLen;
     char    guid[16];
     char    encryptedSecret[secretLen];
-    char    accessCheckLen[accessCheckLen];
+    char    accessCheck[accessCheckLen];
 };
 
 struct CredHist {
@@ -66,8 +66,7 @@ struct MasterKeyFileHeader {
     QWORD   qwDomainKeySize;
 };
 """
-c_master_key = cstruct()
-c_master_key.load(master_key_def)
+c_master_key = cstruct().load(master_key_def)
 
 
 class MasterKey:

dissect/target/plugins/os/windows/lnk.py

@@ -51,6 +51,9 @@ class LnkPlugin(Plugin):
         """Parse all .lnk files in /ProgramData, /Users, and /Windows or from a specified path in record format.
 
         Yields a LnkRecord record with the following fields:
+
+        .. code-block:: text
+
             lnk_path (path): Path of the link (.lnk) file.
             lnk_name (string): Name of the link (.lnk) file.
             lnk_mtime (datetime): Modification time of the link (.lnk) file.

dissect/target/plugins/os/windows/log/etl.py

@@ -122,6 +122,9 @@ class EtlPlugin(Plugin):
 
         Yields dynamically created records based on the fields inside an ETL event.
         At least contains the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The TimeCreated_SystemTime field of the event.
@@ -140,6 +143,9 @@ class EtlPlugin(Plugin):
 
         Yields dynamically created records based on the fields inside an ETL event.
         At least contains the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The TimeCreated_SystemTime field of the event.
@@ -157,6 +163,9 @@ class EtlPlugin(Plugin):
 
         Yields dynamically created records based on the fields inside an ETL event.
         At least contains the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The TimeCreated_SystemTime field of the event.

dissect/target/plugins/os/windows/log/evt.py

@@ -125,6 +125,9 @@ class EvtPlugin(WindowsEventlogsMixin, plugin.Plugin):
 
         Yields dynamically created records based on the fields in the event.
         At least contains the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The TimeCreated_SystemTime field of the event.

dissect/target/plugins/os/windows/log/evtx.py

@@ -47,6 +47,9 @@ class EvtxPlugin(WindowsEventlogsMixin, plugin.Plugin):
 
         Yields dynamically created records based on the fields in the event.
         At least contains the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The TimeCreated_SystemTime field of the event.

dissect/target/plugins/os/windows/log/pfro.py

@@ -41,6 +41,9 @@ class PfroPlugin(Plugin):
             - https://community.ccleaner.com/topic/49106-pending-file-rename-operations-log/
 
         Yields PfroRecords with fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The parsed timestamp.

dissect/target/plugins/os/windows/log/schedlgu.py

@@ -129,9 +129,12 @@ class SchedLgUPlugin(Plugin):
 
         Adversaries may use malicious ``.job`` files to gain persistence on a system.
 
-        Yield:
+        Yields SchedLgURecord with fields:
+
+        .. code-block:: text
+
             ts (datetime): The timestamp of the event.
-            job (str): The name of the ``.job`` file.
+            job (str): The name of the .job file.
             command (str): The command executed.
             status (str): The status of the event (finished, completed, exited, stopped).
             exit_code (int): The exit code of the event.

dissect/target/plugins/os/windows/notifications.py

@@ -91,8 +91,7 @@ typedef struct {
 } Chunk;                               // size: 0x23810
 """
 
-c_appdb = cstruct(endian="<")
-c_appdb.load(appdb_def)
+c_appdb = cstruct(endian="<").load(appdb_def)
 
 APPDB_MAGIC = b"DNPW"
 NUM_APPDB_CHUNKS = 256

dissect/target/plugins/os/windows/prefetch.py

@@ -1,6 +1,6 @@
 from io import BytesIO
 
-from dissect import cstruct
+from dissect.cstruct import cstruct
 from dissect.util import lzxpress_huffman
 from dissect.util.ts import wintimestamp
 
@@ -33,7 +33,7 @@ GroupedPrefetchRecord = TargetRecordDescriptor(
 )
 
 
-c_prefetch = """
+prefetch_def = """
     struct PREFETCH_HEADER_DETECT {
         char signature[4];
         uint32 size;
@@ -59,14 +59,14 @@ c_prefetch = """
         uint32 volumes_information_offset;
         uint32 number_of_volumes;
         uint32 volumes_information_size;
-        uint32 unknown[2];
+        uint32 unknown0[2];
         uint64 last_run_time;
         uint64 last_run_remains[7];
-        uint64 unknown[2];
+        uint64 unknown1[2];
         uint32 run_count;
-        uint32 unknown;
-        uint32 unknown;
-        char unknown[88];
+        uint32 unknown2;
+        uint32 unknown3;
+        char unknown4[88];
     };
 
     struct FILE_INFORMATION_17 {
@@ -80,9 +80,9 @@ c_prefetch = """
         uint32 number_of_volumes;
         uint32 volumes_information_size;
         uint32 last_run_time;
-        uint32 unknown;
+        uint32 unknown0;
         uint32 run_count;
-        uint32 unknown;
+        uint32 unknown1;
     };
 
     struct FILE_INFORMATION_23 {
@@ -99,9 +99,9 @@ c_prefetch = """
         uint64 last_run_time;
         uint64 last_run_remains[2];
         uint32 run_count;
-        uint32 unknown;
-        uint32 unknown;
-        char unknown[80];
+        uint32 unknown0;
+        uint32 unknown1;
+        char unknown2[80];
     };
 
     struct VOLUME_INFORMATION_17 {
@@ -125,19 +125,19 @@ c_prefetch = """
         uint32 file_reference_size;
         uint32 directory_strings_array_offset;
         uint32 number_of_directory_strings;
-        char unknown[4];
-        char unknown[24];
-        char unknown[4];
-        char unknown[24];
-        char unknown[4];
+        char unknown0[4];
+        char unknown1[24];
+        char unknown2[4];
+        char unknown3[24];
+        char unknown4[4];
     };
 
     struct TRACE_CHAIN_ARRAY_ENTRY_17 {
         uint32 next_array_entry_index;
         uint32 total_block_load_count;
-        uint32 unknown;
-        uint32 unknown;
-        uint32 unknown;
+        uint32 unknown0;
+        uint32 unknown1;
+        uint32 unknown2;
     };
 
     struct FILE_METRICS_ARRAY_ENTRY_17 {
@@ -158,25 +158,24 @@ c_prefetch = """
         uint64 ntfs_reference;
     };
     """
-prefetch = cstruct.cstruct()
-prefetch.load(c_prefetch)
+c_prefetch = cstruct().load(prefetch_def)
 
 prefetch_version_structs = {
-    17: (prefetch.FILE_INFORMATION_17, prefetch.FILE_METRICS_ARRAY_ENTRY_17),
-    23: (prefetch.FILE_INFORMATION_23, prefetch.FILE_METRICS_ARRAY_ENTRY_23),
-    30: (prefetch.FILE_INFORMATION_26, prefetch.FILE_METRICS_ARRAY_ENTRY_23),
+    17: (c_prefetch.FILE_INFORMATION_17, c_prefetch.FILE_METRICS_ARRAY_ENTRY_17),
+    23: (c_prefetch.FILE_INFORMATION_23, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
+    30: (c_prefetch.FILE_INFORMATION_26, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
 }
 
 
 class Prefetch:
     def __init__(self, fh):
-        header_detect = prefetch.PREFETCH_HEADER_DETECT(fh.read(8))
+        header_detect = c_prefetch.PREFETCH_HEADER_DETECT(fh.read(8))
         if header_detect.signature == b"MAM\x04":
             fh = BytesIO(lzxpress_huffman.decompress(fh))
 
         self.fh = fh
         self.fh.seek(0)
-        self.header = prefetch.PREFETCH_HEADER(self.fh)
+        self.header = c_prefetch.PREFETCH_HEADER(self.fh)
         self.version = self.identify()
         self.volumes = None
         self.metrics = None
@@ -258,6 +257,9 @@ class PrefetchPlugin(Plugin):
             - https://www.geeksforgeeks.org/prefetch-files-in-windows/
 
         Yields PrefetchRecords with fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): Run timestamp.
@@ -269,6 +271,9 @@ class PrefetchPlugin(Plugin):
         with --grouped:
 
         Yields PrefetchRecords with fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): Run timestamp.

dissect/target/plugins/os/windows/recyclebin.py

@@ -1,6 +1,8 @@
+from __future__ import annotations
+
 from typing import Generator
 
-from dissect import cstruct
+from dissect.cstruct import cstruct
 from dissect.util.ts import wintimestamp
 
 from dissect.target import Target
@@ -21,7 +23,7 @@ RecycleBinRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
     ],
 )
 
-c_recyclebin_i = """
+recyclebin_def = """
 struct header_v1 {
     int64    version;
     int64    file_size;
@@ -37,14 +39,14 @@ struct header_v2 {
 };
 """
 
+c_recyclebin = cstruct().load(recyclebin_def)
+
 
 class RecyclebinPlugin(Plugin):
     """Recyclebin plugin."""
 
     def __init__(self, target: Target) -> None:
         super().__init__(target)
-        self.recyclebin_parser = cstruct.cstruct()
-        self.recyclebin_parser.load(c_recyclebin_i)
 
     def check_compatible(self) -> None:
         for fs_entry in self.target.fs.path("/").iterdir():
@@ -66,6 +68,9 @@ class RecyclebinPlugin(Plugin):
         Return files located in the recycle bin ($Recycle.Bin).
 
         Yields RecycleBinRecords with fields:
+
+        .. code-block:: text
+
           hostname (string): The target hostname
           domain (string): The target domain
           ts (datetime): The time of deletion
@@ -128,11 +133,11 @@ class RecyclebinPlugin(Plugin):
             return "unknown"
         return parent_path.name
 
-    def select_header(self, data: bytes) -> cstruct.Structure:
+    def select_header(self, data: bytes) -> c_recyclebin.header_v1 | c_recyclebin.header_v2:
         """Selects the correct header based on the version field in the header"""
 
-        header_version = self.recyclebin_parser.uint64(data[:8])
+        header_version = c_recyclebin.uint64(data[:8])
         if header_version == 2:
-            return self.recyclebin_parser.header_v2
+            return c_recyclebin.header_v2
         else:
-            return self.recyclebin_parser.header_v1
+            return c_recyclebin.header_v1

dissect/target/plugins/os/windows/regf/appxdebugkeys.py

@@ -86,6 +86,9 @@ class AppxDebugKeysPlugin(Plugin):
             - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
 
         Yields AppXDebugKeyRecords with fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The registry key last modified timestamp.

dissect/target/plugins/os/windows/regf/auditpol.py

@@ -1,14 +1,12 @@
 import io
 
-from dissect import cstruct
+from dissect.cstruct import cstruct
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
 
-c_adtev = cstruct.cstruct()
-c_adtev.load(
-    """
+adtev_def = """
 struct header {
     uint16  unk0;
     uint16  unk1;
@@ -18,7 +16,8 @@ struct header {
     uint16  unk3;
 };
 """
-)
+
+c_adtev = cstruct().load(adtev_def)
 
 POLICY_CATEGORIES = [
     "System",

dissect/target/plugins/os/windows/regf/bam.py

@@ -5,13 +5,12 @@ from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
 
-c_bamdef = """
+bam_def = """
     struct entry {
         uint64 ts;
     };
     """
-c_bam = cstruct()
-c_bam.load(c_bamdef)
+c_bam = cstruct().load(bam_def)
 
 BamDamRecord = TargetRecordDescriptor(
     "windows/registry/bam",
@@ -41,6 +40,9 @@ class BamDamPlugin(Plugin):
         """Parse bam and dam registry keys.
 
         Yields BamDamRecords with fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): The parsed timestamp.

dissect/target/plugins/os/windows/regf/cit.py

@@ -212,8 +212,7 @@ typedef struct _CIT_DP_DATA {
 } CIT_DP_DATA;
 """
 
-c_cit = cstruct()
-c_cit.load(cit_def)
+c_cit = cstruct().load(cit_def)
 
 
 CITSystemRecord = TargetRecordDescriptor(

dissect/target/plugins/os/windows/regf/clsid.py

@@ -55,6 +55,9 @@ class CLSIDPlugin(Plugin):
         HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID.
 
         Yields CLSIDRecords with fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             ts (datetime): Last modified timestamp of the registry key.

dissect/target/plugins/os/windows/regf/firewall.py

@@ -26,6 +26,9 @@ class FirewallPlugin(Plugin):
         HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules registry key.
 
         Yields dynamic records with usually the following fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             key (string): The rule key name.

dissect/target/plugins/os/windows/regf/muicache.py

@@ -48,6 +48,9 @@ class MuiCachePlugin(Plugin):
             - https://forensafe.com/blogs/muicache.html
 
         Yields MuiCacheRecords with fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             index (varint): The index of the entry.

dissect/target/plugins/os/windows/regf/recentfilecache.py

@@ -1,10 +1,10 @@
-from dissect import cstruct
+from dissect.cstruct import cstruct
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
 
-c_recent_files_def = """
+recent_files_def = """
     struct header {
         uint32  magic;
         uint32  unk0;
@@ -18,8 +18,7 @@ c_recent_files_def = """
         wchar   path[length + 1];
     };
     """
-c_recent_files = cstruct.cstruct()
-c_recent_files.load(c_recent_files_def)
+c_recent_files = cstruct().load(recent_files_def)
 
 RecentFileCacheRecord = TargetRecordDescriptor(
     "windows/recentfilecache",
@@ -45,6 +44,9 @@ class RecentFileCachePlugin(Plugin):
         """Parse RecentFileCache.bcf.
 
         Yields RecentFileCacheRecords with fields:
+
+        .. code-block:: text
+
             hostname (string): The target hostname.
             domain (string): The target domain.
             path (uri): The parsed path.