PyPI - dissect.target - Versions diffs - 3.18.dev16__py3-none-any.whl → 3.19__py3-none-any.whl - Mend

dissect.target 3.18.dev16py3-none-any.whl → 3.19py3-none-any.whl

Files changed (94) hide show

dissect/target/filesystem.py +44 -25
dissect/target/filesystems/config.py +32 -21
dissect/target/filesystems/extfs.py +4 -0
dissect/target/filesystems/itunes.py +1 -1
dissect/target/filesystems/tar.py +1 -1
dissect/target/filesystems/zip.py +81 -46
dissect/target/helpers/config.py +22 -7
dissect/target/helpers/configutil.py +69 -5
dissect/target/helpers/cyber.py +4 -2
dissect/target/helpers/fsutil.py +32 -4
dissect/target/helpers/loaderutil.py +26 -7
dissect/target/helpers/network_managers.py +22 -7
dissect/target/helpers/record.py +37 -0
dissect/target/helpers/record_modifier.py +23 -4
dissect/target/helpers/shell_application_ids.py +732 -0
dissect/target/helpers/utils.py +11 -0
dissect/target/loader.py +1 -0
dissect/target/loaders/ab.py +285 -0
dissect/target/loaders/libvirt.py +40 -0
dissect/target/loaders/mqtt.py +14 -1
dissect/target/loaders/tar.py +8 -4
dissect/target/loaders/utm.py +3 -0
dissect/target/loaders/velociraptor.py +6 -6
dissect/target/plugin.py +60 -3
dissect/target/plugins/apps/browser/chrome.py +1 -0
dissect/target/plugins/apps/browser/chromium.py +7 -5
dissect/target/plugins/apps/browser/edge.py +1 -0
dissect/target/plugins/apps/browser/firefox.py +82 -36
dissect/target/plugins/apps/remoteaccess/anydesk.py +70 -50
dissect/target/plugins/apps/remoteaccess/remoteaccess.py +8 -8
dissect/target/plugins/apps/remoteaccess/teamviewer.py +46 -31
dissect/target/plugins/apps/ssh/openssh.py +1 -1
dissect/target/plugins/apps/ssh/ssh.py +177 -0
dissect/target/plugins/apps/texteditor/__init__.py +0 -0
dissect/target/plugins/apps/texteditor/texteditor.py +13 -0
dissect/target/plugins/apps/texteditor/windowsnotepad.py +340 -0
dissect/target/plugins/child/qemu.py +21 -0
dissect/target/plugins/filesystem/ntfs/mft.py +132 -45
dissect/target/plugins/filesystem/unix/capability.py +102 -87
dissect/target/plugins/filesystem/walkfs.py +32 -21
dissect/target/plugins/filesystem/yara.py +144 -23
dissect/target/plugins/general/network.py +82 -0
dissect/target/plugins/general/users.py +14 -10
dissect/target/plugins/os/unix/_os.py +19 -5
dissect/target/plugins/os/unix/bsd/freebsd/_os.py +3 -5
dissect/target/plugins/os/unix/esxi/_os.py +29 -23
dissect/target/plugins/os/unix/etc/etc.py +5 -8
dissect/target/plugins/os/unix/history.py +3 -7
dissect/target/plugins/os/unix/linux/_os.py +15 -14
dissect/target/plugins/os/unix/linux/android/_os.py +15 -24
dissect/target/plugins/os/unix/linux/redhat/_os.py +1 -1
dissect/target/plugins/os/unix/locale.py +17 -6
dissect/target/plugins/os/unix/shadow.py +47 -31
dissect/target/plugins/os/windows/_os.py +4 -4
dissect/target/plugins/os/windows/adpolicy.py +4 -1
dissect/target/plugins/os/windows/catroot.py +1 -11
dissect/target/plugins/os/windows/credential/__init__.py +0 -0
dissect/target/plugins/os/windows/credential/lsa.py +174 -0
dissect/target/plugins/os/windows/{sam.py → credential/sam.py} +5 -2
dissect/target/plugins/os/windows/defender.py +6 -3
dissect/target/plugins/os/windows/dpapi/blob.py +3 -0
dissect/target/plugins/os/windows/dpapi/crypto.py +61 -23
dissect/target/plugins/os/windows/dpapi/dpapi.py +127 -133
dissect/target/plugins/os/windows/dpapi/keyprovider/__init__.py +0 -0
dissect/target/plugins/os/windows/dpapi/keyprovider/credhist.py +21 -0
dissect/target/plugins/os/windows/dpapi/keyprovider/empty.py +17 -0
dissect/target/plugins/os/windows/dpapi/keyprovider/keychain.py +20 -0
dissect/target/plugins/os/windows/dpapi/keyprovider/keyprovider.py +8 -0
dissect/target/plugins/os/windows/dpapi/keyprovider/lsa.py +38 -0
dissect/target/plugins/os/windows/dpapi/master_key.py +3 -0
dissect/target/plugins/os/windows/jumplist.py +292 -0
dissect/target/plugins/os/windows/lnk.py +96 -93
dissect/target/plugins/os/windows/regf/shimcache.py +2 -2
dissect/target/plugins/os/windows/regf/usb.py +179 -114
dissect/target/plugins/os/windows/task_helpers/tasks_xml.py +1 -1
dissect/target/plugins/os/windows/wua_history.py +1073 -0
dissect/target/target.py +4 -3
dissect/target/tools/fs.py +53 -15
dissect/target/tools/fsutils.py +243 -0
dissect/target/tools/info.py +11 -4
dissect/target/tools/query.py +2 -2
dissect/target/tools/shell.py +505 -333
dissect/target/tools/utils.py +23 -2
dissect/target/tools/yara.py +65 -0
dissect/target/volumes/md.py +2 -2
{dissect.target-3.18.dev16.dist-info → dissect.target-3.19.dist-info}/METADATA +11 -7
{dissect.target-3.18.dev16.dist-info → dissect.target-3.19.dist-info}/RECORD +93 -74
{dissect.target-3.18.dev16.dist-info → dissect.target-3.19.dist-info}/WHEEL +1 -1
{dissect.target-3.18.dev16.dist-info → dissect.target-3.19.dist-info}/entry_points.txt +1 -0
dissect/target/helpers/ssh.py +0 -177
/dissect/target/plugins/os/windows/{credhist.py → credential/credhist.py} +0 -0
{dissect.target-3.18.dev16.dist-info → dissect.target-3.19.dist-info}/COPYRIGHT +0 -0
{dissect.target-3.18.dev16.dist-info → dissect.target-3.19.dist-info}/LICENSE +0 -0
{dissect.target-3.18.dev16.dist-info → dissect.target-3.19.dist-info}/top_level.txt +0 -0

dissect/target/helpers/ssh.py DELETED Viewed

@@ -1,177 +0,0 @@
-import base64
-import binascii
-from dissect.cstruct import cstruct
-rfc4716_def = """
-struct ssh_string {
-    uint32 length;
-    char value[length];
-}
-struct ssh_private_key {
-    char magic[15];
-    ssh_string cipher;
-    ssh_string kdf_name;
-    ssh_string kdf_options;
-    uint32 number_of_keys;
-    ssh_string public;
-    ssh_string private;
-}
-"""
-c_rfc4716 = cstruct(endian=">").load(rfc4716_def)
-RFC4716_MARKER_START = b"-----BEGIN OPENSSH PRIVATE KEY-----"
-RFC4716_MARKER_END = b"-----END OPENSSH PRIVATE KEY-----"
-RFC4716_MAGIC = b"openssh-key-v1\x00"
-RFC4716_PADDING = b"\x01\x02\x03\x04\x05\x06\x07"
-RFC4716_NONE = b"none"
-PKCS8_MARKER_START = b"-----BEGIN PRIVATE KEY-----"
-PKCS8_MARKER_END = b"-----END PRIVATE KEY-----"
-PKCS8_MARKER_START_ENCRYPTED = b"-----BEGIN ENCRYPTED PRIVATE KEY-----"
-PKCS8_MARKER_END_ENCRYPTED = b"-----END ENCRYPTED PRIVATE KEY-----"
-PEM_MARKER_START_RSA = b"-----BEGIN RSA PRIVATE KEY-----"
-PEM_MARKER_END_RSA = b"-----END RSA PRIVATE KEY-----"
-PEM_MARKER_START_DSA = b"-----BEGIN DSA PRIVATE KEY-----"
-PEM_MARKER_END_DSA = b"-----END DSA PRIVATE KEY-----"
-PEM_MARKER_START_EC = b"-----BEGIN EC PRIVATE KEY-----"
-PEM_MARKER_END_EC = b"-----END EC PRIVATE KEY-----"
-PEM_ENCRYPTED = b"ENCRYPTED"
-class SSHPrivateKey:
-    """A class to parse (OpenSSH-supported) SSH private keys.
-    OpenSSH supports three types of keys:
-    * RFC4716 (default)
-    * PKCS8
-    * PEM
-    """
-    def __init__(self, data: bytes):
-        self.key_type = None
-        self.public_key = None
-        self.comment = ""
-        if is_rfc4716(data):
-            self.format = "RFC4716"
-            self._parse_rfc4716(data)
-        elif is_pkcs8(data):
-            self.format = "PKCS8"
-            self.is_encrypted = data.startswith(PKCS8_MARKER_START_ENCRYPTED)
-        elif is_pem(data):
-            self.format = "PEM"
-            self._parse_pem(data)
-        else:
-            raise ValueError("Unsupported private key format")
-    def _parse_rfc4716(self, data: bytes) -> None:
-        """Parse OpenSSH format SSH private keys.
-        The format:
-        "openssh-key-v1"0x00    # NULL-terminated "Auth Magic" string
-        32-bit length, "none"   # ciphername length and string
-        32-bit length, "none"   # kdfname length and string
-        32-bit length, nil      # kdf (0 length, no kdf)
-        32-bit 0x01             # number of keys, hard-coded to 1 (no length)
-        32-bit length, sshpub   # public key in ssh format
-            32-bit length, keytype
-            32-bit length, pub0
-            32-bit length, pub1
-        32-bit length for rnd+prv+comment+pad
-            64-bit dummy checksum?  # a random 32-bit int, repeated
-            32-bit length, keytype  # the private key (including public)
-            32-bit length, pub0     # Public Key parts
-            32-bit length, pub1
-            32-bit length, prv0     # Private Key parts
-            ...                     # (number varies by type)
-            32-bit length, comment  # comment string
-            padding bytes 0x010203  # pad to blocksize (see notes below)
-        Source: https://coolaj86.com/articles/the-openssh-private-key-format/
-        """
-        key_data = decode_rfc4716(data)
-        private_key = c_rfc4716.ssh_private_key(key_data)
-        # RFC4716 only supports 1 key at the moment.
-        if private_key.magic != RFC4716_MAGIC or private_key.number_of_keys != 1:
-            raise ValueError("Unexpected number of keys for RFC4716 format private key")
-        self.is_encrypted = private_key.cipher.value != RFC4716_NONE
-        self.public_key = base64.b64encode(private_key.public.value)
-        public_key_type = c_rfc4716.ssh_string(private_key.public.value)
-        self.key_type = public_key_type.value
-        if not self.is_encrypted:
-            private_key_data = private_key.private.value.rstrip(RFC4716_PADDING)
-            # We skip the two dummy uint32s at the start.
-            private_key_index = 8
-            private_key_type = c_rfc4716.ssh_string(private_key_data[private_key_index:])
-            private_key_index += 4 + private_key_type.length
-            self.key_type = private_key_type.value
-            private_key_fields = []
-            while private_key_index < len(private_key_data):
-                field = c_rfc4716.ssh_string(private_key_data[private_key_index:])
-                private_key_index += 4 + field.length
-                private_key_fields.append(field)
-            # There is always a comment present (with a length field of 0 for empty comments).
-            self.comment = private_key_fields[-1].value
-    def _parse_pem(self, data: bytes) -> None:
-        """Detect key type and encryption of PEM keys."""
-        self.is_encrypted = PEM_ENCRYPTED in data
-        if data.startswith(PEM_MARKER_START_RSA):
-            self.key_type = "ssh-rsa"
-        elif data.startswith(PEM_MARKER_START_DSA):
-            self.key_type = "ssh-dss"
-        # This is not a valid SSH key type, but we currently do not detect the specific ecdsa variant.
-        else:
-            self.key_type = "ecdsa"
-def is_rfc4716(data: bytes) -> bool:
-    """Validate data is a valid looking SSH private key in the OpenSSH format."""
-    return data.startswith(RFC4716_MARKER_START) and data.endswith(RFC4716_MARKER_END)
-def decode_rfc4716(data: bytes) -> bytes:
-    """Base64 decode the private key data."""
-    encoded_key_data = data.removeprefix(RFC4716_MARKER_START).removesuffix(RFC4716_MARKER_END)
-    try:
-        return base64.b64decode(encoded_key_data)
-    except binascii.Error:
-        raise ValueError("Error decoding RFC4716 key data")
-def is_pkcs8(data: bytes) -> bool:
-    """Validate data is a valid looking PKCS8 SSH private key."""
-    return (data.startswith(PKCS8_MARKER_START) and data.endswith(PKCS8_MARKER_END)) or (
-        data.startswith(PKCS8_MARKER_START_ENCRYPTED) and data.endswith(PKCS8_MARKER_END_ENCRYPTED)
-    )
-def is_pem(data: bytes) -> bool:
-    """Validate data is a valid looking PEM SSH private key."""
-    return (
-        (data.startswith(PEM_MARKER_START_RSA) and data.endswith(PEM_MARKER_END_RSA))
-        or (data.startswith(PEM_MARKER_START_DSA) and data.endswith(PEM_MARKER_END_DSA))
-        or (data.startswith(PEM_MARKER_START_EC) and data.endswith(PEM_MARKER_END_EC))
-    )

/dissect/target/plugins/os/windows/{credhist.py → credential/credhist.py} RENAMED Viewed

File without changes

{dissect.target-3.18.dev16.dist-info → dissect.target-3.19.dist-info}/COPYRIGHT RENAMED Viewed

File without changes

{dissect.target-3.18.dev16.dist-info → dissect.target-3.19.dist-info}/LICENSE RENAMED Viewed

File without changes

{dissect.target-3.18.dev16.dist-info → dissect.target-3.19.dist-info}/top_level.txt RENAMED Viewed

File without changes

dissect.target 3.18.dev16__py3-none-any.whl → 3.19__py3-none-any.whl

dissect.target 3.18.dev16py3-none-any.whl → 3.19py3-none-any.whl