dissect.target 3.18.dev15__py3-none-any.whl → 3.19__py3-none-any.whl

dissect/target/helpers/configutil.py

@@ -171,7 +171,7 @@ class ConfigurationParser:
         try:
             self.parse_file(fh)
         except Exception as e:
-            raise ConfigurationParsingError(*e.args) from e
+            raise ConfigurationParsingError(e.args) from e
 
         if self.collapse_all or self.collapse:
             self.parsed_data = self._collapse_dict(self.parsed_data)
@@ -240,6 +240,33 @@ class Default(ConfigurationParser):
         self.parsed_data = information_dict
 
 
+class CSVish(Default):
+    """Parses CSV-ish config files (does not confirm to CSV standard!)"""
+
+    def __init__(self, *args, fields: tuple[str], **kwargs) -> None:
+        self.fields = fields
+        self.num_fields = len(self.fields)
+        self.maxsplit = self.num_fields - 1
+        super().__init__(*args, **kwargs)
+
+    def parse_file(self, fh: TextIO) -> None:
+        information_dict = {}
+
+        for i, raw_line in enumerate(self.line_reader(fh, strip_comments=True)):
+            line = raw_line.strip()
+            columns = re.split(self.SEPARATOR, line, maxsplit=self.maxsplit)
+
+            if len(columns) < self.num_fields:
+                # keep unparsed lines separate (often env vars)
+                data = {"line": line}
+            else:
+                data = dict(zip(self.fields, columns))
+
+            information_dict[str(i)] = data
+
+        self.parsed_data = information_dict
+
+
 class Ini(ConfigurationParser):
     """Parses an ini file according using the built-in python ConfigParser"""
 
@@ -688,11 +715,12 @@ class ParserConfig:
     collapse_inverse: Optional[bool] = None
     separator: Optional[tuple[str]] = None
     comment_prefixes: Optional[tuple[str]] = None
+    fields: Optional[tuple[str]] = None
 
     def create_parser(self, options: Optional[ParserOptions] = None) -> ConfigurationParser:
         kwargs = {}
 
-        for field_name in ["collapse", "collapse_inverse", "separator", "comment_prefixes"]:
+        for field_name in ["collapse", "collapse_inverse", "separator", "comment_prefixes", "fields"]:
             value = getattr(options, field_name, None) or getattr(self, field_name)
             if value:
                 kwargs.update({field_name: value})
@@ -721,6 +749,7 @@ CONFIG_MAP: dict[tuple[str, ...], ParserConfig] = {
     "toml": ParserConfig(Toml),
 }
 
+
 KNOWN_FILES: dict[str, type[ConfigurationParser]] = {
     "ulogd.conf": ParserConfig(Ini),
     "sshd_config": ParserConfig(Indentation, separator=(r"\s",)),
@@ -730,6 +759,41 @@ KNOWN_FILES: dict[str, type[ConfigurationParser]] = {
     "nsswitch.conf": ParserConfig(Default, separator=(":",)),
     "lsb-release": ParserConfig(Default),
     "catalog": ParserConfig(Xml),
+    "fstab": ParserConfig(
+        CSVish,
+        separator=(r"\s",),
+        comment_prefixes=("#",),
+        fields=("device", "mount", "type", "options", "dump", "pass"),
+    ),
+    "crontab": ParserConfig(
+        CSVish,
+        separator=(r"\s",),
+        comment_prefixes=("#",),
+        fields=("minute", "hour", "day", "month", "weekday", "user", "command"),
+    ),
+    "shadow": ParserConfig(
+        CSVish,
+        separator=(r"\:",),
+        comment_prefixes=("#",),
+        fields=(
+            "username",
+            "password",
+            "lastchange",
+            "minpassage",
+            "maxpassage",
+            "warning",
+            "inactive",
+            "expire",
+            "rest",
+        ),
+    ),
+    "passwd": ParserConfig(
+        CSVish,
+        separator=(r"\:",),
+        comment_prefixes=("#",),
+        fields=("username", "password", "uid", "gid", "gecos", "homedir", "shell"),
+    ),
+    "mime.types": ParserConfig(CSVish, separator=(r"\s+",), comment_prefixes=("#",), fields=("name", "extensions")),
 }
 
 
@@ -748,13 +812,13 @@ def parse(path: Union[FilesystemEntry, TargetPath], hint: Optional[str] = None,
         FileNotFoundError: If the ``path`` is not a file.
     """
 
-    if not path.is_file(follow_symlinks=True):
-        raise FileNotFoundError(f"Could not parse {path} as a dictionary.")
-
     entry = path
     if isinstance(path, TargetPath):
         entry = path.get()
 
+    if not entry.is_file(follow_symlinks=True):
+        raise FileNotFoundError(f"Could not parse {path} as a dictionary.")
+
     options = ParserOptions(*args, **kwargs)
 
     return parse_config(entry, hint, options)

dissect/target/helpers/cyber.py

@@ -137,7 +137,7 @@ def nms(buf: str, color: Optional[Color] = None, mask_space: bool = False, mask_
 
                 if (
                     ("\n" in char or "\r\n" in char)
-                    or (not mask_space and char == " " and not is_indent and not mask_indent)
+                    or (not mask_space and char == " " and not is_indent)
                     or (not mask_indent and is_indent)
                 ):
                     if "\n" in char:
@@ -189,7 +189,7 @@ def nms(buf: str, color: Optional[Color] = None, mask_space: bool = False, mask_
 
                     if (
                         ("\n" in char or "\r\n" in char)
-                        or (not mask_space and char == " " and not is_indent and not mask_indent)
+                        or (not mask_space and char == " " and not is_indent)
                         or (not mask_indent and is_indent)
                     ):
                         if "\n" in char:
@@ -268,6 +268,8 @@ def matrix(buf: str, color: Optional[Color] = None, **kwargs) -> None:
 
             if cur_ansi:
                 char = cur_ansi + char + "\033[0m"
+                if end_ansi:
+                    cur_ansi = ""
 
             if "\n" in char or "\r\n" in char:
                 char = " " + char

dissect/target/helpers/fsutil.py

@@ -96,6 +96,7 @@ __all__ = [
     "TargetPath",
     "walk_ext",
     "walk",
+    "recurse",
 ]
 
 
@@ -144,6 +145,7 @@ class stat_result:  # noqa
         "st_file_attributes": "Windows file attribute bits",
         "st_fstype": "Type of filesystem",
         "st_reparse_tag": "Windows reparse tag",
+        "st_birthtime_ns": "time of creation in nanoseconds",
         # Internal fields
         "_s": "internal tuple",
     }
@@ -193,6 +195,7 @@ class stat_result:  # noqa
         self.st_file_attributes = s[22]
         self.st_fstype = s[23]
         self.st_reparse_tag = s[24]
+        self.st_birthtime_ns = s[25]
 
         # stat_result behaves like a tuple, but only with the first 10 fields
         # Note that this means it specifically uses the integer variants of the timestamps
@@ -289,6 +292,20 @@ def walk_ext(path_entry, topdown=True, onerror=None, followlinks=False):
         yield [path_entry], dirs, files
 
 
+def recurse(path_entry: filesystem.FilesystemEntry) -> Iterator[filesystem.FilesystemEntry]:
+    """Recursively walk the given :class:`FilesystemEntry`, yields :class:`FilesystemEntry` instances."""
+    yield path_entry
+
+    if not path_entry.is_dir():
+        return
+
+    for child_entry in path_entry.scandir():
+        if child_entry.is_dir() and not child_entry.is_symlink():
+            yield from recurse(child_entry)
+        else:
+            yield child_entry
+
+
 def glob_split(pattern: str, alt_separator: str = "") -> tuple[str, str]:
     """Split a pattern on path part boundaries on the first path part with a glob pattern.
 
@@ -423,15 +440,20 @@ def has_glob_magic(s) -> bool:
 
 
 def resolve_link(
-    fs: filesystem.Filesystem, entry: filesystem.FilesystemEntry, previous_links: set[str] = None
+    fs: filesystem.Filesystem,
+    link: str,
+    path: str,
+    *,
+    alt_separator: str = "",
+    previous_links: set[str] | None = None,
 ) -> filesystem.FilesystemEntry:
     """Resolves a symlink to its actual path.
 
     It stops resolving once it detects an infinite recursion loop.
     """
 
-    link = normalize(entry.readlink(), alt_separator=entry.fs.alt_separator)
-    path = normalize(entry.path, alt_separator=entry.fs.alt_separator)
+    link = normalize(link, alt_separator=alt_separator)
+    path = normalize(path, alt_separator=alt_separator)
 
     # Create hash for entry based on path and link
     link_id = f"{path}{link}"
@@ -454,7 +476,13 @@ def resolve_link(
     entry = fs.get(link)
 
     if entry.is_symlink():
-        entry = resolve_link(fs, entry, previous_links)
+        entry = resolve_link(
+            fs,
+            entry.readlink(),
+            link,
+            alt_separator=entry.fs.alt_separator,
+            previous_links=previous_links,
+        )
 
     return entry
 

dissect/target/helpers/loaderutil.py

@@ -5,7 +5,7 @@ import re
 import urllib
 from os import PathLike
 from pathlib import Path
-from typing import TYPE_CHECKING, BinaryIO, Optional, Union
+from typing import TYPE_CHECKING, BinaryIO
 
 from dissect.target.exceptions import FileNotFoundError
 from dissect.target.filesystem import Filesystem
@@ -42,12 +42,31 @@ def add_virtual_ntfs_filesystem(
     fh_sds = _try_open(fs, sds_path)
 
     if any([fh_boot, fh_mft]):
-        ntfs = NtfsFilesystem(boot=fh_boot, mft=fh_mft, usnjrnl=fh_usnjrnl, sds=fh_sds)
-        target.filesystems.add(ntfs)
-        fs.ntfs = ntfs.ntfs
+        ntfs = None
 
-
-def _try_open(fs: Filesystem, path: str) -> BinaryIO:
+        try:
+            ntfs = NtfsFilesystem(boot=fh_boot, mft=fh_mft, usnjrnl=fh_usnjrnl, sds=fh_sds)
+        except Exception as e:
+            if fh_boot:
+                log.warning("Failed to load NTFS filesystem from %s, retrying without $Boot file", fs)
+                log.debug("", exc_info=e)
+
+                try:
+                    # Try once more without the $Boot file
+                    ntfs = NtfsFilesystem(mft=fh_mft, usnjrnl=fh_usnjrnl, sds=fh_sds)
+                except Exception:
+                    log.warning("Failed to load NTFS filesystem from %s without $Boot file, skipping", fs)
+                    return
+
+        # Only add it if we have a valid NTFS with an MFT
+        if ntfs and ntfs.ntfs.mft:
+            target.filesystems.add(ntfs)
+            fs.ntfs = ntfs.ntfs
+        else:
+            log.warning("Opened NTFS filesystem from %s but could not find $MFT, skipping", fs)
+
+
+def _try_open(fs: Filesystem, path: str) -> BinaryIO | None:
     paths = [path] if not isinstance(path, list) else path
 
     for path in paths:
@@ -61,7 +80,7 @@ def _try_open(fs: Filesystem, path: str) -> BinaryIO:
             pass
 
 
-def extract_path_info(path: Union[str, Path]) -> tuple[Path, Optional[urllib.parse.ParseResult]]:
+def extract_path_info(path: str | Path) -> tuple[Path, urllib.parse.ParseResult | None]:
     """
     Extracts a ParseResult from a path if it has
     a scheme and adjusts the path if necessary.

dissect/target/helpers/network_managers.py

@@ -7,12 +7,14 @@ from configparser import ConfigParser, MissingSectionHeaderError
 from io import StringIO
 from itertools import chain
 from re import compile, sub
-from typing import Any, Callable, Iterable, Match, Optional
+from typing import Any, Callable, Iterable, Iterator, Match, Optional
 
 from defusedxml import ElementTree
 
 from dissect.target.exceptions import PluginError
 from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.plugins.os.unix.log.journal import JournalRecord
+from dissect.target.plugins.os.unix.log.messages import MessagesRecord
 from dissect.target.target import Target
 
 log = logging.getLogger(__name__)
@@ -509,14 +511,15 @@ class LinuxNetworkManager:
         return values
 
 
-def parse_unix_dhcp_log_messages(target) -> list[str]:
+def parse_unix_dhcp_log_messages(target: Target, iter_all: bool = False) -> set[str]:
     """Parse local syslog, journal and cloud init-log files for DHCP lease IPs.
 
     Args:
         target: Target to discover and obtain network information from.
+        iter_all: Parse limited amount of journal messages (first 10000) or all of them.
 
     Returns:
-        List of DHCP ip addresses.
+        A set of found DHCP IP addresses.
     """
     ips = set()
     messages = set()
@@ -530,9 +533,19 @@ def parse_unix_dhcp_log_messages(target) -> list[str]:
     if not messages:
         target.log.warning(f"Could not search for DHCP leases using {log_func}: No log entries found.")
 
-    for record in messages:
+    def records_enumerate(iterable: Iterable) -> Iterator[tuple[int, JournalRecord | MessagesRecord]]:
+        count = 0
+        for rec in iterable:
+            if rec._desc.name == "linux/log/journal":
+                count += 1
+            yield count, rec
+
+    for count, record in records_enumerate(messages):
         line = record.message
 
+        if not line:
+            continue
+
         # Ubuntu cloud-init
         if "Received dhcp lease on" in line:
             interface, ip, netmask = re.search(r"Received dhcp lease on (\w{0,}) for (\S+)\/(\S+)", line).groups()
@@ -576,9 +589,11 @@ def parse_unix_dhcp_log_messages(target) -> list[str]:
             ips.add(ip)
             continue
 
-        # Journals and syslogs can be large and slow to iterate,
-        # so we stop if we have some results and have reached the journal plugin.
-        if len(ips) >= 2 and record._desc.name == "linux/log/journal":
+        # The journal parser is relatively slow, so we stop when we have read 10000 journal entries,
+        # or if we have found at least one ip address. When `iter_all` is `True` we continue searching.
+        if not iter_all and (ips or count > 10_000):
+            if not ips:
+                target.log.warning("No DHCP IP addresses found in first 10000 journal entries.")
             break
 
     return ips

dissect/target/helpers/record.py

@@ -142,3 +142,40 @@ EmptyRecord = RecordDescriptor(
     "empty",
     [],
 )
+
+COMMON_INTERFACE_ELEMENTS = [
+    ("string", "name"),
+    ("string", "type"),
+    ("boolean", "enabled"),
+    ("string", "mac"),
+    ("net.ipaddress[]", "dns"),
+    ("net.ipaddress[]", "ip"),
+    ("net.ipaddress[]", "gateway"),
+    ("string", "source"),
+]
+
+
+UnixInterfaceRecord = TargetRecordDescriptor(
+    "unix/network/interface",
+    COMMON_INTERFACE_ELEMENTS,
+)
+
+WindowsInterfaceRecord = TargetRecordDescriptor(
+    "windows/network/interface",
+    [
+        *COMMON_INTERFACE_ELEMENTS,
+        ("varint", "vlan"),
+        ("string", "metric"),
+        ("datetime", "last_connected"),
+    ],
+)
+
+MacInterfaceRecord = TargetRecordDescriptor(
+    "macos/network/interface",
+    [
+        *COMMON_INTERFACE_ELEMENTS,
+        ("varint", "vlan"),
+        ("string", "proxy"),
+        ("varint", "interface_service_order"),
+    ],
+)

dissect/target/helpers/record_modifier.py

@@ -4,7 +4,7 @@ from typing import Callable, Iterable, Iterator
 from flow.record import GroupedRecord, Record, RecordDescriptor, fieldtypes
 
 from dissect.target import Target
-from dissect.target.exceptions import FilesystemError
+from dissect.target.exceptions import FileNotFoundError, FilesystemError
 from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.hashutil import common
 from dissect.target.helpers.utils import StrEnum
@@ -44,7 +44,20 @@ def _resolve_path_records(field_name: str, resolved_path: TargetPath) -> Record:
 
 
 def _hash_path_records(field_name: str, resolved_path: TargetPath) -> Record:
-    """Hash files from path fields inside the record."""
+    """Hash files from path fields inside the record.
+
+    Args:
+        field_name: Name of the field.
+        resolved_path: Path to the file we should hash.
+
+    Raises:
+        FileNotFoundError: Raised if the provided ``resolved_path`` does not exist or is not a file on the target.
+
+    Returns: Modified record with digests of path field types.
+    """
+
+    if not resolved_path.exists() or not resolved_path.is_file():
+        raise FileNotFoundError(f"Path not found or is not a file: '{resolved_path}'")
 
     with resolved_path.open() as fh:
         path_hash = common(fh)
@@ -81,8 +94,14 @@ def modify_record(target: Target, record: Record, modifier_function: ModifierFun
     for field_name, resolved_path in _resolve_path_types(target, record):
         try:
             _record = modifier_function(field_name, resolved_path)
-        except FilesystemError:
-            pass
+        except FilesystemError as e:
+            target.log.warning(
+                "Unable to modify record '%s' with function '%s': %s",
+                record._desc.name,
+                modifier_function.__name__,
+                e,
+            )
+            target.log.debug("", exc_info=e)
         else:
             additional_records.append(_record)