dissect.target 3.18.dev6__py3-none-any.whl → 3.18.dev7__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dissect/target/helpers/protobuf.py +6 -10
- dissect/target/helpers/ssh.py +3 -4
- dissect/target/plugins/apps/av/trendmicro.py +2 -3
- dissect/target/plugins/apps/container/docker.py +1 -1
- dissect/target/plugins/os/unix/locate/gnulocate.py +1 -2
- dissect/target/plugins/os/unix/locate/mlocate.py +3 -4
- dissect/target/plugins/os/unix/locate/plocate.py +1 -2
- dissect/target/plugins/os/unix/log/atop.py +3 -4
- dissect/target/plugins/os/unix/log/journal.py +5 -4
- dissect/target/plugins/os/unix/log/lastlog.py +2 -3
- dissect/target/plugins/os/unix/log/utmp.py +6 -7
- dissect/target/plugins/os/windows/adpolicy.py +3 -4
- dissect/target/plugins/os/windows/credhist.py +1 -2
- dissect/target/plugins/os/windows/datetime.py +3 -4
- dissect/target/plugins/os/windows/defender.py +3 -4
- dissect/target/plugins/os/windows/dpapi/blob.py +1 -2
- dissect/target/plugins/os/windows/dpapi/master_key.py +2 -3
- dissect/target/plugins/os/windows/notifications.py +1 -2
- dissect/target/plugins/os/windows/prefetch.py +26 -27
- dissect/target/plugins/os/windows/recyclebin.py +10 -8
- dissect/target/plugins/os/windows/regf/auditpol.py +4 -5
- dissect/target/plugins/os/windows/regf/bam.py +2 -3
- dissect/target/plugins/os/windows/regf/cit.py +1 -2
- dissect/target/plugins/os/windows/regf/recentfilecache.py +3 -4
- dissect/target/plugins/os/windows/regf/shellbags.py +1 -2
- dissect/target/plugins/os/windows/regf/shimcache.py +2 -3
- dissect/target/plugins/os/windows/regf/userassist.py +5 -6
- dissect/target/plugins/os/windows/sam.py +4 -5
- dissect/target/plugins/os/windows/task_helpers/tasks_job.py +3 -4
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/METADATA +49 -24
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/RECORD +36 -36
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/LICENSE +0 -0
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/WHEEL +0 -0
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/top_level.txt +0 -0
|
@@ -3,30 +3,26 @@ from __future__ import annotations
|
|
|
3
3
|
from typing import Any, BinaryIO
|
|
4
4
|
|
|
5
5
|
from dissect.cstruct.types.base import BaseType
|
|
6
|
-
from dissect.cstruct.types.bytesinteger import BytesInteger
|
|
7
6
|
|
|
8
7
|
|
|
9
|
-
class ProtobufVarint(
|
|
8
|
+
class ProtobufVarint(BaseType):
|
|
10
9
|
"""Implements a protobuf integer type for dissect.cstruct that can span a variable amount of bytes.
|
|
11
10
|
|
|
12
|
-
|
|
13
|
-
to support protobuf's msb varint implementation.
|
|
11
|
+
Supports protobuf's msb varint implementation.
|
|
14
12
|
|
|
15
13
|
Resources:
|
|
16
14
|
- https://protobuf.dev/programming-guides/encoding/
|
|
17
15
|
- https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder.py
|
|
18
16
|
"""
|
|
19
17
|
|
|
20
|
-
|
|
18
|
+
@classmethod
|
|
19
|
+
def _read(cls, stream: BinaryIO, context: dict[str, Any] = None) -> int:
|
|
21
20
|
return decode_varint(stream)
|
|
22
21
|
|
|
23
|
-
|
|
22
|
+
@classmethod
|
|
23
|
+
def _write(cls, stream: BinaryIO, data: int) -> int:
|
|
24
24
|
return stream.write(encode_varint(data))
|
|
25
25
|
|
|
26
|
-
_read_array = BaseType._read_array
|
|
27
|
-
|
|
28
|
-
_write_array = BaseType._write_array
|
|
29
|
-
|
|
30
26
|
|
|
31
27
|
def decode_varint(stream: BinaryIO) -> int:
|
|
32
28
|
"""Reads a varint from the provided buffer stream.
|
dissect/target/helpers/ssh.py
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
import base64
|
|
2
2
|
import binascii
|
|
3
3
|
|
|
4
|
-
from dissect import cstruct
|
|
4
|
+
from dissect.cstruct import cstruct
|
|
5
5
|
|
|
6
|
-
|
|
6
|
+
rfc4716_def = """
|
|
7
7
|
struct ssh_string {
|
|
8
8
|
uint32 length;
|
|
9
9
|
char value[length];
|
|
@@ -23,8 +23,7 @@ struct ssh_private_key {
|
|
|
23
23
|
}
|
|
24
24
|
"""
|
|
25
25
|
|
|
26
|
-
c_rfc4716 = cstruct
|
|
27
|
-
c_rfc4716.load(c_rfc4716_def)
|
|
26
|
+
c_rfc4716 = cstruct(endian=">").load(rfc4716_def)
|
|
28
27
|
|
|
29
28
|
RFC4716_MARKER_START = b"-----BEGIN OPENSSH PRIVATE KEY-----"
|
|
30
29
|
RFC4716_MARKER_END = b"-----END OPENSSH PRIVATE KEY-----"
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
from typing import Iterator
|
|
2
2
|
|
|
3
|
-
from dissect import cstruct
|
|
3
|
+
from dissect.cstruct import cstruct
|
|
4
4
|
from dissect.util.ts import from_unix
|
|
5
5
|
|
|
6
6
|
from dissect.target import Target
|
|
@@ -47,8 +47,7 @@ struct firewall_entry {
|
|
|
47
47
|
char _pad3[10];
|
|
48
48
|
};
|
|
49
49
|
"""
|
|
50
|
-
c_pfwlog = cstruct.
|
|
51
|
-
c_pfwlog.load(pfwlog_def)
|
|
50
|
+
c_pfwlog = cstruct().load(pfwlog_def)
|
|
52
51
|
|
|
53
52
|
|
|
54
53
|
class TrendMicroPlugin(Plugin):
|
|
@@ -88,7 +88,7 @@ struct entry {
|
|
|
88
88
|
"""
|
|
89
89
|
|
|
90
90
|
c_local = cstruct(endian=">")
|
|
91
|
-
c_local.
|
|
91
|
+
c_local.add_custom_type("varint", ProtobufVarint, size=None, alignment=1, signed=False)
|
|
92
92
|
c_local.load(local_def, compiled=False)
|
|
93
93
|
|
|
94
94
|
RE_DOCKER_NS = re.compile(r"\.(?P<nanoseconds>\d{7,})(?P<postfix>Z|\+\d{2}:\d{2})")
|
|
@@ -20,10 +20,10 @@ struct header_config {
|
|
|
20
20
|
int32 conf_size;
|
|
21
21
|
int8 version; /* file format version */
|
|
22
22
|
int8 require_visibility;
|
|
23
|
-
int8
|
|
23
|
+
int8 pad0[2]; /* 32-bit total alignment */
|
|
24
24
|
char root_database;
|
|
25
25
|
char config_block[conf_size];
|
|
26
|
-
int8
|
|
26
|
+
int8 pad1;
|
|
27
27
|
};
|
|
28
28
|
|
|
29
29
|
enum DBE_TYPE: uint8 { /* database entry type */
|
|
@@ -68,8 +68,7 @@ MLocateRecord = TargetRecordDescriptor(
|
|
|
68
68
|
],
|
|
69
69
|
)
|
|
70
70
|
|
|
71
|
-
c_mlocate = cstruct(endian=">")
|
|
72
|
-
c_mlocate.load(mlocate_def)
|
|
71
|
+
c_mlocate = cstruct(endian=">").load(mlocate_def)
|
|
73
72
|
|
|
74
73
|
|
|
75
74
|
class MLocateFile:
|
|
@@ -2,7 +2,7 @@ import zlib
|
|
|
2
2
|
from io import BytesIO
|
|
3
3
|
from typing import BinaryIO, Iterator
|
|
4
4
|
|
|
5
|
-
from dissect.cstruct import
|
|
5
|
+
from dissect.cstruct import cstruct
|
|
6
6
|
|
|
7
7
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
8
8
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -178,8 +178,7 @@ struct tstat {
|
|
|
178
178
|
};
|
|
179
179
|
""" # noqa: E501
|
|
180
180
|
|
|
181
|
-
c_atop = cstruct()
|
|
182
|
-
c_atop.load(atop_def)
|
|
181
|
+
c_atop = cstruct().load(atop_def)
|
|
183
182
|
c_atop.load(atop_tstat_def, align=True)
|
|
184
183
|
|
|
185
184
|
AtopRecord = TargetRecordDescriptor(
|
|
@@ -226,7 +225,7 @@ class AtopFile:
|
|
|
226
225
|
self.header = c_atop.rawheader(self.fh)
|
|
227
226
|
self.version = self.version()
|
|
228
227
|
|
|
229
|
-
def __iter__(self) -> Iterator[
|
|
228
|
+
def __iter__(self) -> Iterator[c_atop.tstat]:
|
|
230
229
|
while True:
|
|
231
230
|
try:
|
|
232
231
|
record = c_atop.rawrecord(self.fh)
|
|
@@ -1,8 +1,10 @@
|
|
|
1
|
+
from __future__ import annotations
|
|
2
|
+
|
|
1
3
|
import lzma
|
|
2
4
|
from typing import BinaryIO, Callable, Iterator
|
|
3
5
|
|
|
4
6
|
import zstandard
|
|
5
|
-
from dissect.cstruct import
|
|
7
|
+
from dissect.cstruct import cstruct
|
|
6
8
|
from dissect.util import ts
|
|
7
9
|
from dissect.util.compression import lz4
|
|
8
10
|
|
|
@@ -252,8 +254,7 @@ struct EntryArrayObject_Compact {
|
|
|
252
254
|
};
|
|
253
255
|
""" # noqa: E501
|
|
254
256
|
|
|
255
|
-
c_journal = cstruct()
|
|
256
|
-
c_journal.load(journal_def)
|
|
257
|
+
c_journal = cstruct().load(journal_def)
|
|
257
258
|
|
|
258
259
|
|
|
259
260
|
def get_optional(value: str, to_type: Callable):
|
|
@@ -314,7 +315,7 @@ class JournalFile:
|
|
|
314
315
|
|
|
315
316
|
return key, value
|
|
316
317
|
|
|
317
|
-
def __iter__(self) -> Iterator[
|
|
318
|
+
def __iter__(self) -> Iterator[dict[str, int | str]]:
|
|
318
319
|
"Iterate over the entry objects to read payloads."
|
|
319
320
|
|
|
320
321
|
for offset in self.entry_object_offsets():
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
from typing import BinaryIO
|
|
2
2
|
|
|
3
|
-
from dissect import cstruct
|
|
3
|
+
from dissect.cstruct import cstruct
|
|
4
4
|
from dissect.util import ts
|
|
5
5
|
|
|
6
6
|
from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
|
|
@@ -36,8 +36,7 @@ struct entry {
|
|
|
36
36
|
};
|
|
37
37
|
"""
|
|
38
38
|
|
|
39
|
-
c_lastlog = cstruct.
|
|
40
|
-
c_lastlog.load(lastlog_def)
|
|
39
|
+
c_lastlog = cstruct().load(lastlog_def)
|
|
41
40
|
|
|
42
41
|
|
|
43
42
|
class LastLogFile:
|
|
@@ -39,14 +39,14 @@ WtmpRecord = TargetRecordDescriptor(
|
|
|
39
39
|
],
|
|
40
40
|
)
|
|
41
41
|
|
|
42
|
-
|
|
42
|
+
utmp_def = """
|
|
43
43
|
#define UT_LINESIZE 32
|
|
44
44
|
#define UT_NAMESIZE 32
|
|
45
45
|
#define UT_HOSTSIZE 256
|
|
46
46
|
|
|
47
47
|
typedef uint32 pid_t;
|
|
48
48
|
|
|
49
|
-
enum Type :
|
|
49
|
+
enum Type : uint8_t {
|
|
50
50
|
EMPTY = 0x0,
|
|
51
51
|
RUN_LVL = 0x1,
|
|
52
52
|
BOOT_TIME = 0x2,
|
|
@@ -84,8 +84,7 @@ struct entry {
|
|
|
84
84
|
};
|
|
85
85
|
""" # noqa: E501
|
|
86
86
|
|
|
87
|
-
|
|
88
|
-
utmp.load(c_utmp)
|
|
87
|
+
c_utmp = cstruct().load(utmp_def)
|
|
89
88
|
|
|
90
89
|
UTMP_ENTRY = namedtuple(
|
|
91
90
|
"UTMPRecord",
|
|
@@ -122,11 +121,11 @@ class UtmpFile:
|
|
|
122
121
|
|
|
123
122
|
while True:
|
|
124
123
|
try:
|
|
125
|
-
entry =
|
|
124
|
+
entry = c_utmp.entry(byte_stream)
|
|
126
125
|
|
|
127
126
|
r_type = ""
|
|
128
|
-
if entry.ut_type in
|
|
129
|
-
r_type =
|
|
127
|
+
if entry.ut_type in c_utmp.Type:
|
|
128
|
+
r_type = c_utmp.Type(entry.ut_type).name
|
|
130
129
|
|
|
131
130
|
ut_host = entry.ut_host.decode(errors="surrogateescape").strip("\x00")
|
|
132
131
|
ut_addr = None
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
from struct import unpack
|
|
2
2
|
|
|
3
3
|
from defusedxml import ElementTree
|
|
4
|
-
from dissect import cstruct
|
|
4
|
+
from dissect.cstruct import cstruct
|
|
5
5
|
from dissect.regf.c_regf import (
|
|
6
6
|
REG_BINARY,
|
|
7
7
|
REG_DWORD,
|
|
@@ -18,14 +18,13 @@ from dissect.target.exceptions import UnsupportedPluginError
|
|
|
18
18
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
19
19
|
from dissect.target.plugin import Plugin, export
|
|
20
20
|
|
|
21
|
-
|
|
21
|
+
policy_def = """
|
|
22
22
|
struct registry_policy_header {
|
|
23
23
|
uint32 signature;
|
|
24
24
|
uint32 version;
|
|
25
25
|
};
|
|
26
26
|
"""
|
|
27
|
-
c_adpolicy = cstruct.
|
|
28
|
-
c_adpolicy.load(c_def)
|
|
27
|
+
c_adpolicy = cstruct().load(policy_def)
|
|
29
28
|
|
|
30
29
|
ADPolicyRecord = TargetRecordDescriptor(
|
|
31
30
|
"windows/adpolicy",
|
|
@@ -3,7 +3,7 @@ from collections import namedtuple
|
|
|
3
3
|
from datetime import datetime, timedelta, timezone, tzinfo
|
|
4
4
|
from typing import Dict, Tuple
|
|
5
5
|
|
|
6
|
-
from dissect import cstruct
|
|
6
|
+
from dissect.cstruct import cstruct
|
|
7
7
|
|
|
8
8
|
from dissect.target.exceptions import (
|
|
9
9
|
RegistryError,
|
|
@@ -34,8 +34,7 @@ typedef struct _REG_TZI_FORMAT {
|
|
|
34
34
|
SYSTEMTIME DaylightDate;
|
|
35
35
|
} REG_TZI_FORMAT;
|
|
36
36
|
"""
|
|
37
|
-
c_tz = cstruct.
|
|
38
|
-
c_tz.load(tz_def)
|
|
37
|
+
c_tz = cstruct().load(tz_def)
|
|
39
38
|
|
|
40
39
|
|
|
41
40
|
# Althoug calendar.SUNDAY is only officially documented since Python 3.10, it
|
|
@@ -63,7 +62,7 @@ ZERO = timedelta(0)
|
|
|
63
62
|
HOUR = timedelta(hours=1)
|
|
64
63
|
|
|
65
64
|
|
|
66
|
-
def parse_systemtime_transition(systemtime:
|
|
65
|
+
def parse_systemtime_transition(systemtime: c_tz._SYSTEMTIME, year: int) -> datetime:
|
|
67
66
|
"""Return the transition datetime for a given year using the SYSTEMTIME of a STD or DST transition date.
|
|
68
67
|
|
|
69
68
|
The SYSTEMTIME date of a TZI structure needs to be used to calculate the actual date for a given year.
|
|
@@ -237,8 +237,7 @@ struct QuarantineEntryResourceField {
|
|
|
237
237
|
};
|
|
238
238
|
"""
|
|
239
239
|
|
|
240
|
-
c_defender = cstruct()
|
|
241
|
-
c_defender.load(defender_def)
|
|
240
|
+
c_defender = cstruct().load(defender_def)
|
|
242
241
|
|
|
243
242
|
STREAM_ID = c_defender.STREAM_ID
|
|
244
243
|
STREAM_ATTRIBUTES = c_defender.STREAM_ATTRIBUTES
|
|
@@ -381,7 +380,7 @@ class QuarantineEntryResource:
|
|
|
381
380
|
self.last_access_time = ts.wintimestamp(int.from_bytes(field.Data, "little"))
|
|
382
381
|
elif field.Identifier == FIELD_IDENTIFIER.LastWriteTime:
|
|
383
382
|
self.last_write_time = ts.wintimestamp(int.from_bytes(field.Data, "little"))
|
|
384
|
-
elif field.Identifier not in FIELD_IDENTIFIER
|
|
383
|
+
elif field.Identifier not in FIELD_IDENTIFIER:
|
|
385
384
|
self.unknown_fields.append(field)
|
|
386
385
|
|
|
387
386
|
|
|
@@ -526,7 +525,7 @@ class MicrosoftDefenderPlugin(plugin.Plugin):
|
|
|
526
525
|
subdir = resource.resource_id[0:2]
|
|
527
526
|
resourcedata_location = resourcedata_directory.joinpath(subdir).joinpath(resource.resource_id)
|
|
528
527
|
if not resourcedata_location.exists():
|
|
529
|
-
self.target.log.warning(f"Could not find a ResourceData file for {
|
|
528
|
+
self.target.log.warning(f"Could not find a ResourceData file for {resource.resource_id}.")
|
|
530
529
|
continue
|
|
531
530
|
if not resourcedata_location.is_file():
|
|
532
531
|
self.target.log.warning(f"{resourcedata_location} is not a file!")
|
|
@@ -29,7 +29,7 @@ struct DomainKey {
|
|
|
29
29
|
DWORD accessCheckLen;
|
|
30
30
|
char guid[16];
|
|
31
31
|
char encryptedSecret[secretLen];
|
|
32
|
-
char
|
|
32
|
+
char accessCheck[accessCheckLen];
|
|
33
33
|
};
|
|
34
34
|
|
|
35
35
|
struct CredHist {
|
|
@@ -66,8 +66,7 @@ struct MasterKeyFileHeader {
|
|
|
66
66
|
QWORD qwDomainKeySize;
|
|
67
67
|
};
|
|
68
68
|
"""
|
|
69
|
-
c_master_key = cstruct()
|
|
70
|
-
c_master_key.load(master_key_def)
|
|
69
|
+
c_master_key = cstruct().load(master_key_def)
|
|
71
70
|
|
|
72
71
|
|
|
73
72
|
class MasterKey:
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
from io import BytesIO
|
|
2
2
|
|
|
3
|
-
from dissect import cstruct
|
|
3
|
+
from dissect.cstruct import cstruct
|
|
4
4
|
from dissect.util import lzxpress_huffman
|
|
5
5
|
from dissect.util.ts import wintimestamp
|
|
6
6
|
|
|
@@ -33,7 +33,7 @@ GroupedPrefetchRecord = TargetRecordDescriptor(
|
|
|
33
33
|
)
|
|
34
34
|
|
|
35
35
|
|
|
36
|
-
|
|
36
|
+
prefetch_def = """
|
|
37
37
|
struct PREFETCH_HEADER_DETECT {
|
|
38
38
|
char signature[4];
|
|
39
39
|
uint32 size;
|
|
@@ -59,14 +59,14 @@ c_prefetch = """
|
|
|
59
59
|
uint32 volumes_information_offset;
|
|
60
60
|
uint32 number_of_volumes;
|
|
61
61
|
uint32 volumes_information_size;
|
|
62
|
-
uint32
|
|
62
|
+
uint32 unknown0[2];
|
|
63
63
|
uint64 last_run_time;
|
|
64
64
|
uint64 last_run_remains[7];
|
|
65
|
-
uint64
|
|
65
|
+
uint64 unknown1[2];
|
|
66
66
|
uint32 run_count;
|
|
67
|
-
uint32
|
|
68
|
-
uint32
|
|
69
|
-
char
|
|
67
|
+
uint32 unknown2;
|
|
68
|
+
uint32 unknown3;
|
|
69
|
+
char unknown4[88];
|
|
70
70
|
};
|
|
71
71
|
|
|
72
72
|
struct FILE_INFORMATION_17 {
|
|
@@ -80,9 +80,9 @@ c_prefetch = """
|
|
|
80
80
|
uint32 number_of_volumes;
|
|
81
81
|
uint32 volumes_information_size;
|
|
82
82
|
uint32 last_run_time;
|
|
83
|
-
uint32
|
|
83
|
+
uint32 unknown0;
|
|
84
84
|
uint32 run_count;
|
|
85
|
-
uint32
|
|
85
|
+
uint32 unknown1;
|
|
86
86
|
};
|
|
87
87
|
|
|
88
88
|
struct FILE_INFORMATION_23 {
|
|
@@ -99,9 +99,9 @@ c_prefetch = """
|
|
|
99
99
|
uint64 last_run_time;
|
|
100
100
|
uint64 last_run_remains[2];
|
|
101
101
|
uint32 run_count;
|
|
102
|
-
uint32
|
|
103
|
-
uint32
|
|
104
|
-
char
|
|
102
|
+
uint32 unknown0;
|
|
103
|
+
uint32 unknown1;
|
|
104
|
+
char unknown2[80];
|
|
105
105
|
};
|
|
106
106
|
|
|
107
107
|
struct VOLUME_INFORMATION_17 {
|
|
@@ -125,19 +125,19 @@ c_prefetch = """
|
|
|
125
125
|
uint32 file_reference_size;
|
|
126
126
|
uint32 directory_strings_array_offset;
|
|
127
127
|
uint32 number_of_directory_strings;
|
|
128
|
-
char
|
|
129
|
-
char
|
|
130
|
-
char
|
|
131
|
-
char
|
|
132
|
-
char
|
|
128
|
+
char unknown0[4];
|
|
129
|
+
char unknown1[24];
|
|
130
|
+
char unknown2[4];
|
|
131
|
+
char unknown3[24];
|
|
132
|
+
char unknown4[4];
|
|
133
133
|
};
|
|
134
134
|
|
|
135
135
|
struct TRACE_CHAIN_ARRAY_ENTRY_17 {
|
|
136
136
|
uint32 next_array_entry_index;
|
|
137
137
|
uint32 total_block_load_count;
|
|
138
|
-
uint32
|
|
139
|
-
uint32
|
|
140
|
-
uint32
|
|
138
|
+
uint32 unknown0;
|
|
139
|
+
uint32 unknown1;
|
|
140
|
+
uint32 unknown2;
|
|
141
141
|
};
|
|
142
142
|
|
|
143
143
|
struct FILE_METRICS_ARRAY_ENTRY_17 {
|
|
@@ -158,25 +158,24 @@ c_prefetch = """
|
|
|
158
158
|
uint64 ntfs_reference;
|
|
159
159
|
};
|
|
160
160
|
"""
|
|
161
|
-
|
|
162
|
-
prefetch.load(c_prefetch)
|
|
161
|
+
c_prefetch = cstruct().load(prefetch_def)
|
|
163
162
|
|
|
164
163
|
prefetch_version_structs = {
|
|
165
|
-
17: (
|
|
166
|
-
23: (
|
|
167
|
-
30: (
|
|
164
|
+
17: (c_prefetch.FILE_INFORMATION_17, c_prefetch.FILE_METRICS_ARRAY_ENTRY_17),
|
|
165
|
+
23: (c_prefetch.FILE_INFORMATION_23, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
|
|
166
|
+
30: (c_prefetch.FILE_INFORMATION_26, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
|
|
168
167
|
}
|
|
169
168
|
|
|
170
169
|
|
|
171
170
|
class Prefetch:
|
|
172
171
|
def __init__(self, fh):
|
|
173
|
-
header_detect =
|
|
172
|
+
header_detect = c_prefetch.PREFETCH_HEADER_DETECT(fh.read(8))
|
|
174
173
|
if header_detect.signature == b"MAM\x04":
|
|
175
174
|
fh = BytesIO(lzxpress_huffman.decompress(fh))
|
|
176
175
|
|
|
177
176
|
self.fh = fh
|
|
178
177
|
self.fh.seek(0)
|
|
179
|
-
self.header =
|
|
178
|
+
self.header = c_prefetch.PREFETCH_HEADER(self.fh)
|
|
180
179
|
self.version = self.identify()
|
|
181
180
|
self.volumes = None
|
|
182
181
|
self.metrics = None
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
+
from __future__ import annotations
|
|
2
|
+
|
|
1
3
|
from typing import Generator
|
|
2
4
|
|
|
3
|
-
from dissect import cstruct
|
|
5
|
+
from dissect.cstruct import cstruct
|
|
4
6
|
from dissect.util.ts import wintimestamp
|
|
5
7
|
|
|
6
8
|
from dissect.target import Target
|
|
@@ -21,7 +23,7 @@ RecycleBinRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
|
|
|
21
23
|
],
|
|
22
24
|
)
|
|
23
25
|
|
|
24
|
-
|
|
26
|
+
recyclebin_def = """
|
|
25
27
|
struct header_v1 {
|
|
26
28
|
int64 version;
|
|
27
29
|
int64 file_size;
|
|
@@ -37,14 +39,14 @@ struct header_v2 {
|
|
|
37
39
|
};
|
|
38
40
|
"""
|
|
39
41
|
|
|
42
|
+
c_recyclebin = cstruct().load(recyclebin_def)
|
|
43
|
+
|
|
40
44
|
|
|
41
45
|
class RecyclebinPlugin(Plugin):
|
|
42
46
|
"""Recyclebin plugin."""
|
|
43
47
|
|
|
44
48
|
def __init__(self, target: Target) -> None:
|
|
45
49
|
super().__init__(target)
|
|
46
|
-
self.recyclebin_parser = cstruct.cstruct()
|
|
47
|
-
self.recyclebin_parser.load(c_recyclebin_i)
|
|
48
50
|
|
|
49
51
|
def check_compatible(self) -> None:
|
|
50
52
|
for fs_entry in self.target.fs.path("/").iterdir():
|
|
@@ -131,11 +133,11 @@ class RecyclebinPlugin(Plugin):
|
|
|
131
133
|
return "unknown"
|
|
132
134
|
return parent_path.name
|
|
133
135
|
|
|
134
|
-
def select_header(self, data: bytes) ->
|
|
136
|
+
def select_header(self, data: bytes) -> c_recyclebin.header_v1 | c_recyclebin.header_v2:
|
|
135
137
|
"""Selects the correct header based on the version field in the header"""
|
|
136
138
|
|
|
137
|
-
header_version =
|
|
139
|
+
header_version = c_recyclebin.uint64(data[:8])
|
|
138
140
|
if header_version == 2:
|
|
139
|
-
return
|
|
141
|
+
return c_recyclebin.header_v2
|
|
140
142
|
else:
|
|
141
|
-
return
|
|
143
|
+
return c_recyclebin.header_v1
|
|
@@ -1,14 +1,12 @@
|
|
|
1
1
|
import io
|
|
2
2
|
|
|
3
|
-
from dissect import cstruct
|
|
3
|
+
from dissect.cstruct import cstruct
|
|
4
4
|
|
|
5
5
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
6
6
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
7
7
|
from dissect.target.plugin import Plugin, export
|
|
8
8
|
|
|
9
|
-
|
|
10
|
-
c_adtev.load(
|
|
11
|
-
"""
|
|
9
|
+
adtev_def = """
|
|
12
10
|
struct header {
|
|
13
11
|
uint16 unk0;
|
|
14
12
|
uint16 unk1;
|
|
@@ -18,7 +16,8 @@ struct header {
|
|
|
18
16
|
uint16 unk3;
|
|
19
17
|
};
|
|
20
18
|
"""
|
|
21
|
-
|
|
19
|
+
|
|
20
|
+
c_adtev = cstruct().load(adtev_def)
|
|
22
21
|
|
|
23
22
|
POLICY_CATEGORIES = [
|
|
24
23
|
"System",
|
|
@@ -5,13 +5,12 @@ from dissect.target.exceptions import UnsupportedPluginError
|
|
|
5
5
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
6
6
|
from dissect.target.plugin import Plugin, export
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
bam_def = """
|
|
9
9
|
struct entry {
|
|
10
10
|
uint64 ts;
|
|
11
11
|
};
|
|
12
12
|
"""
|
|
13
|
-
c_bam = cstruct()
|
|
14
|
-
c_bam.load(c_bamdef)
|
|
13
|
+
c_bam = cstruct().load(bam_def)
|
|
15
14
|
|
|
16
15
|
BamDamRecord = TargetRecordDescriptor(
|
|
17
16
|
"windows/registry/bam",
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
from dissect import cstruct
|
|
1
|
+
from dissect.cstruct import cstruct
|
|
2
2
|
|
|
3
3
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
4
4
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
5
5
|
from dissect.target.plugin import Plugin, export
|
|
6
6
|
|
|
7
|
-
|
|
7
|
+
recent_files_def = """
|
|
8
8
|
struct header {
|
|
9
9
|
uint32 magic;
|
|
10
10
|
uint32 unk0;
|
|
@@ -18,8 +18,7 @@ c_recent_files_def = """
|
|
|
18
18
|
wchar path[length + 1];
|
|
19
19
|
};
|
|
20
20
|
"""
|
|
21
|
-
c_recent_files = cstruct.
|
|
22
|
-
c_recent_files.load(c_recent_files_def)
|
|
21
|
+
c_recent_files = cstruct().load(recent_files_def)
|
|
23
22
|
|
|
24
23
|
RecentFileCacheRecord = TargetRecordDescriptor(
|
|
25
24
|
"windows/recentfilecache",
|
|
@@ -243,8 +243,7 @@ struct EXTENSION_BLOCK_HEADER {
|
|
|
243
243
|
uint32 signature;
|
|
244
244
|
};
|
|
245
245
|
"""
|
|
246
|
-
c_bag = cstruct()
|
|
247
|
-
c_bag.load(bag_def)
|
|
246
|
+
c_bag = cstruct().load(bag_def)
|
|
248
247
|
|
|
249
248
|
DELEGATE_ITEM_IDENTIFIER = b"\x74\x1a\x59\x5e\x96\xdf\xd3\x48\x8d\x67\x17\x33\xbc\xee\x28\xba"
|
|
250
249
|
|
|
@@ -21,7 +21,7 @@ ShimcacheRecord = TargetRecordDescriptor(
|
|
|
21
21
|
],
|
|
22
22
|
)
|
|
23
23
|
|
|
24
|
-
|
|
24
|
+
shim_def = """
|
|
25
25
|
struct NT61_HEADER {
|
|
26
26
|
uint32 magic;
|
|
27
27
|
uint32 num_entries;
|
|
@@ -99,8 +99,7 @@ struct WIN10_ENTRY_DATA {
|
|
|
99
99
|
uint64 ts;
|
|
100
100
|
};
|
|
101
101
|
"""
|
|
102
|
-
c_shim = cstruct()
|
|
103
|
-
c_shim.load(c_shimdef)
|
|
102
|
+
c_shim = cstruct().load(shim_def)
|
|
104
103
|
|
|
105
104
|
MAGIC_NT61 = 0xBADC0FEE
|
|
106
105
|
MAGIC_NT52 = 0xBADC0FFE
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import codecs
|
|
2
2
|
|
|
3
|
-
from dissect import cstruct
|
|
3
|
+
from dissect.cstruct import cstruct
|
|
4
4
|
from dissect.util.ts import wintimestamp
|
|
5
5
|
|
|
6
6
|
from dissect.target.exceptions import RegistryValueNotFoundError, UnsupportedPluginError
|
|
@@ -14,13 +14,13 @@ from dissect.target.plugin import Plugin, export
|
|
|
14
14
|
|
|
15
15
|
userassist_def = """
|
|
16
16
|
struct VERSION5_ENTRY {
|
|
17
|
-
char
|
|
17
|
+
char padding0[4];
|
|
18
18
|
uint32 number_of_executions;
|
|
19
19
|
uint32 application_focus_count;
|
|
20
20
|
uint32 application_focus_duration;
|
|
21
|
-
char
|
|
21
|
+
char padding1[44];
|
|
22
22
|
uint64 timestamp;
|
|
23
|
-
char
|
|
23
|
+
char padding2[4];
|
|
24
24
|
};
|
|
25
25
|
|
|
26
26
|
struct VERSION3_ENTRY {
|
|
@@ -29,8 +29,7 @@ struct VERSION3_ENTRY {
|
|
|
29
29
|
uint64 timestamp;
|
|
30
30
|
};
|
|
31
31
|
"""
|
|
32
|
-
c_userassist = cstruct.
|
|
33
|
-
c_userassist.load(userassist_def)
|
|
32
|
+
c_userassist = cstruct().load(userassist_def)
|
|
34
33
|
|
|
35
34
|
UserAssistRecordDescriptor = create_extended_descriptor(
|
|
36
35
|
[
|
|
@@ -9,14 +9,14 @@ try:
|
|
|
9
9
|
except ImportError:
|
|
10
10
|
HAS_CRYPTO = False
|
|
11
11
|
|
|
12
|
-
from dissect import cstruct
|
|
12
|
+
from dissect.cstruct import cstruct
|
|
13
13
|
from dissect.util import ts
|
|
14
14
|
|
|
15
15
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
16
16
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
17
17
|
from dissect.target.plugin import Plugin, export
|
|
18
18
|
|
|
19
|
-
|
|
19
|
+
sam_def = """
|
|
20
20
|
struct user_F {
|
|
21
21
|
char unknown1[8];
|
|
22
22
|
uint64 t_last_login; /* Time of last login */
|
|
@@ -166,7 +166,7 @@ struct DOMAIN_ACCOUNT_F {
|
|
|
166
166
|
uint16 min_password_length; /* 0x50 */
|
|
167
167
|
uint16 password_history_length; /* 0x52 */
|
|
168
168
|
uint16 lockout_threshold; /* 0x54 */
|
|
169
|
-
uint16
|
|
169
|
+
uint16 unknown1_3; /* 0x56 */
|
|
170
170
|
uint32 server_state; /* 0x58 */
|
|
171
171
|
uint16 server_role; /* 0x5c */
|
|
172
172
|
uint16 uas_compability_required; /* 0x5e */
|
|
@@ -207,8 +207,7 @@ struct SAM_HASH_AES { /* size: >=24 */
|
|
|
207
207
|
};
|
|
208
208
|
"""
|
|
209
209
|
|
|
210
|
-
c_sam = cstruct.
|
|
211
|
-
c_sam.load(c_sam_def)
|
|
210
|
+
c_sam = cstruct().load(sam_def)
|
|
212
211
|
|
|
213
212
|
SamRecord = TargetRecordDescriptor(
|
|
214
213
|
"windows/registry/sam",
|
|
@@ -2,7 +2,7 @@ import datetime
|
|
|
2
2
|
import warnings
|
|
3
3
|
from typing import Iterator, Optional
|
|
4
4
|
|
|
5
|
-
from dissect import cstruct
|
|
5
|
+
from dissect.cstruct import cstruct
|
|
6
6
|
from flow.record import GroupedRecord
|
|
7
7
|
|
|
8
8
|
from dissect.target.exceptions import InvalidTaskError
|
|
@@ -135,8 +135,7 @@ struct ATJOB_DATA {
|
|
|
135
135
|
// uint8 job_signature[64 * s_ver * c_ver]; /* - calculated job signature. */
|
|
136
136
|
};
|
|
137
137
|
"""
|
|
138
|
-
|
|
139
|
-
atjob.load(atjob_def)
|
|
138
|
+
c_atjob = cstruct().load(atjob_def)
|
|
140
139
|
|
|
141
140
|
|
|
142
141
|
class AtTask:
|
|
@@ -149,7 +148,7 @@ class AtTask:
|
|
|
149
148
|
|
|
150
149
|
def __init__(self, job_file: TargetPath, target: Target):
|
|
151
150
|
try:
|
|
152
|
-
self.at_data =
|
|
151
|
+
self.at_data = c_atjob.ATJOB_DATA(job_file.open())
|
|
153
152
|
except Exception as e:
|
|
154
153
|
raise InvalidTaskError(e)
|
|
155
154
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: dissect.target
|
|
3
|
-
Version: 3.18.
|
|
3
|
+
Version: 3.18.dev7
|
|
4
4
|
Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
|
|
5
5
|
Author-email: Dissect Team <dissect@fox-it.com>
|
|
6
6
|
License: Affero General Public License v3
|
|
@@ -23,36 +23,61 @@ Description-Content-Type: text/markdown
|
|
|
23
23
|
License-File: LICENSE
|
|
24
24
|
License-File: COPYRIGHT
|
|
25
25
|
Requires-Dist: defusedxml
|
|
26
|
-
Requires-Dist: dissect.cstruct <4.
|
|
27
|
-
Requires-Dist: dissect.eventlog <4
|
|
28
|
-
Requires-Dist: dissect.evidence <4
|
|
29
|
-
Requires-Dist: dissect.hypervisor <4
|
|
30
|
-
Requires-Dist: dissect.ntfs <4
|
|
31
|
-
Requires-Dist: dissect.regf <4
|
|
32
|
-
Requires-Dist: dissect.util <4
|
|
33
|
-
Requires-Dist: dissect.volume <4
|
|
26
|
+
Requires-Dist: dissect.cstruct <5,>=4.dev
|
|
27
|
+
Requires-Dist: dissect.eventlog <4,>=3
|
|
28
|
+
Requires-Dist: dissect.evidence <4,>=3
|
|
29
|
+
Requires-Dist: dissect.hypervisor <4,>=3
|
|
30
|
+
Requires-Dist: dissect.ntfs <4,>=3.4
|
|
31
|
+
Requires-Dist: dissect.regf <4,>=3.3
|
|
32
|
+
Requires-Dist: dissect.util <4,>=3
|
|
33
|
+
Requires-Dist: dissect.volume <4,>=2
|
|
34
34
|
Requires-Dist: flow.record ~=3.15.0
|
|
35
35
|
Requires-Dist: structlog
|
|
36
36
|
Provides-Extra: cb
|
|
37
37
|
Requires-Dist: dissect.target[full] ; extra == 'cb'
|
|
38
38
|
Requires-Dist: carbon-black-cloud-sdk ~=1.4.3 ; extra == 'cb'
|
|
39
|
+
Provides-Extra: dev
|
|
40
|
+
Requires-Dist: dissect.target[full,mqtt,yara] ; extra == 'dev'
|
|
41
|
+
Requires-Dist: dissect.btrfs[dev] <2.0.dev,>=1.0.dev ; extra == 'dev'
|
|
42
|
+
Requires-Dist: dissect.cim[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
43
|
+
Requires-Dist: dissect.clfs[dev] <2.0.dev,>=1.0.dev ; extra == 'dev'
|
|
44
|
+
Requires-Dist: dissect.cstruct <5.0.dev,>=4.0.dev ; extra == 'dev'
|
|
45
|
+
Requires-Dist: dissect.esedb[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
46
|
+
Requires-Dist: dissect.etl[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
47
|
+
Requires-Dist: dissect.eventlog[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
48
|
+
Requires-Dist: dissect.evidence[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
49
|
+
Requires-Dist: dissect.extfs[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
50
|
+
Requires-Dist: dissect.fat[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
51
|
+
Requires-Dist: dissect.ffs[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
52
|
+
Requires-Dist: dissect.hypervisor[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
53
|
+
Requires-Dist: dissect.jffs[dev] <2.0.dev,>=1.0.dev ; extra == 'dev'
|
|
54
|
+
Requires-Dist: dissect.ntfs[dev] <4.0.dev,>=3.4.dev ; extra == 'dev'
|
|
55
|
+
Requires-Dist: dissect.regf[dev] <4.0.dev,>=3.3.dev ; extra == 'dev'
|
|
56
|
+
Requires-Dist: dissect.shellitem[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
57
|
+
Requires-Dist: dissect.sql[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
58
|
+
Requires-Dist: dissect.squashfs[dev] <2.0.dev,>=1.0.dev ; extra == 'dev'
|
|
59
|
+
Requires-Dist: dissect.thumbcache[dev] <2.0.dev,>=1.0.dev ; extra == 'dev'
|
|
60
|
+
Requires-Dist: dissect.util <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
61
|
+
Requires-Dist: dissect.vmfs[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
62
|
+
Requires-Dist: dissect.volume[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
63
|
+
Requires-Dist: dissect.xfs[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
39
64
|
Provides-Extra: full
|
|
40
65
|
Requires-Dist: asn1crypto ; extra == 'full'
|
|
41
|
-
Requires-Dist: dissect.btrfs <2
|
|
42
|
-
Requires-Dist: dissect.cim <4
|
|
43
|
-
Requires-Dist: dissect.clfs <2
|
|
44
|
-
Requires-Dist: dissect.esedb <4
|
|
45
|
-
Requires-Dist: dissect.etl <4
|
|
46
|
-
Requires-Dist: dissect.extfs <4
|
|
47
|
-
Requires-Dist: dissect.fat <4
|
|
48
|
-
Requires-Dist: dissect.ffs <4
|
|
49
|
-
Requires-Dist: dissect.jffs <2
|
|
50
|
-
Requires-Dist: dissect.shellitem <4
|
|
51
|
-
Requires-Dist: dissect.squashfs <2
|
|
52
|
-
Requires-Dist: dissect.sql <4
|
|
53
|
-
Requires-Dist: dissect.thumbcache <2
|
|
54
|
-
Requires-Dist: dissect.vmfs <4
|
|
55
|
-
Requires-Dist: dissect.xfs <4
|
|
66
|
+
Requires-Dist: dissect.btrfs <2,>=1 ; extra == 'full'
|
|
67
|
+
Requires-Dist: dissect.cim <4,>=3 ; extra == 'full'
|
|
68
|
+
Requires-Dist: dissect.clfs <2,>=1 ; extra == 'full'
|
|
69
|
+
Requires-Dist: dissect.esedb <4,>=3 ; extra == 'full'
|
|
70
|
+
Requires-Dist: dissect.etl <4,>=3 ; extra == 'full'
|
|
71
|
+
Requires-Dist: dissect.extfs <4,>=3 ; extra == 'full'
|
|
72
|
+
Requires-Dist: dissect.fat <4,>=3 ; extra == 'full'
|
|
73
|
+
Requires-Dist: dissect.ffs <4,>=3 ; extra == 'full'
|
|
74
|
+
Requires-Dist: dissect.jffs <2,>=1 ; extra == 'full'
|
|
75
|
+
Requires-Dist: dissect.shellitem <4,>=3 ; extra == 'full'
|
|
76
|
+
Requires-Dist: dissect.squashfs <2,>=1 ; extra == 'full'
|
|
77
|
+
Requires-Dist: dissect.sql <4,>=3 ; extra == 'full'
|
|
78
|
+
Requires-Dist: dissect.thumbcache <2,>=1 ; extra == 'full'
|
|
79
|
+
Requires-Dist: dissect.vmfs <4,>=3 ; extra == 'full'
|
|
80
|
+
Requires-Dist: dissect.xfs <4,>=3 ; extra == 'full'
|
|
56
81
|
Requires-Dist: ipython ; extra == 'full'
|
|
57
82
|
Requires-Dist: fusepy ; extra == 'full'
|
|
58
83
|
Requires-Dist: pycryptodome ; extra == 'full'
|
|
@@ -60,12 +60,12 @@ dissect/target/helpers/mount.py,sha256=JxhUYyEbDnHfzPpfuWy4nV9OwCJPoDSGdHHNiyvd_
|
|
|
60
60
|
dissect/target/helpers/mui.py,sha256=i-7XoHbu4WO2fYapK9yGAMW04rFlgRispknc1KQIS5Q,22258
|
|
61
61
|
dissect/target/helpers/network_managers.py,sha256=uRh_P8ICbKke2N7eFJ6AS2-I5DmIRiaQUlxR7oqxPaU,24975
|
|
62
62
|
dissect/target/helpers/polypath.py,sha256=h8p7m_OCNiQljGwoZh5Aflr9H2ot6CZr6WKq1OSw58o,2175
|
|
63
|
-
dissect/target/helpers/protobuf.py,sha256=
|
|
63
|
+
dissect/target/helpers/protobuf.py,sha256=b4DsnqrRLrefcDjx7rQno-_LBcwtJXxuKf5RdOegzfE,1537
|
|
64
64
|
dissect/target/helpers/record.py,sha256=lWl7k2Mp9Axllm0tXzPGJx2zj2zONsyY_p5g424T0Lc,4826
|
|
65
65
|
dissect/target/helpers/record_modifier.py,sha256=3I_rC5jqvl0TsW3V8OQ6Dltz_D8J4PU1uhhzbJGKm9c,3245
|
|
66
66
|
dissect/target/helpers/regutil.py,sha256=kX-sSZbW8Qkg29Dn_9zYbaQrwLumrr4Y8zJ1EhHXIAM,27337
|
|
67
67
|
dissect/target/helpers/shell_folder_ids.py,sha256=Behhb8oh0kMxrEk6YYKYigCDZe8Hw5QS6iK_d2hTs2Y,24978
|
|
68
|
-
dissect/target/helpers/ssh.py,sha256=
|
|
68
|
+
dissect/target/helpers/ssh.py,sha256=obB7sqUH0IoUo78NAmHM8TX0pgA_4GHICZ3TA3TW_0E,6324
|
|
69
69
|
dissect/target/helpers/targetd.py,sha256=ELhUulzQ4OgXgHsWhsLgM14vut8Wm6btr7qTynlwKaE,1812
|
|
70
70
|
dissect/target/helpers/utils.py,sha256=r36Bn0UL0E6Z8ajmQrHzC6RyUxTRdwJ1PNsd904Lmzs,4027
|
|
71
71
|
dissect/target/helpers/compat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
@@ -117,7 +117,7 @@ dissect/target/plugins/apps/av/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5
|
|
|
117
117
|
dissect/target/plugins/apps/av/mcafee.py,sha256=YWrsB5kQFtXfhqi6mdMPMVk2qh_KCiOBiaTnbj8mVrM,5440
|
|
118
118
|
dissect/target/plugins/apps/av/sophos.py,sha256=TuO-ggdD5De0UTouzNF7-1iLULIOvr6FDktocnM0aF0,4164
|
|
119
119
|
dissect/target/plugins/apps/av/symantec.py,sha256=I1_zZ2ihKptB2JJ7sYZ7df0AgtK3KhWPsbDkc2m_hPA,14171
|
|
120
|
-
dissect/target/plugins/apps/av/trendmicro.py,sha256=
|
|
120
|
+
dissect/target/plugins/apps/av/trendmicro.py,sha256=8F4IWYCXG7HEniGridQ4ax82Mrx_20wV_999-8c9ttQ,4666
|
|
121
121
|
dissect/target/plugins/apps/browser/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
122
122
|
dissect/target/plugins/apps/browser/brave.py,sha256=EW1ubL10swHeV9CscfpE-SrNZozul_Ewj48LNRaG5Kg,2865
|
|
123
123
|
dissect/target/plugins/apps/browser/browser.py,sha256=rBIwcgdl73gm-8APwx2jEUAYXRniXkqcdMr2UYj_tS8,4118
|
|
@@ -127,7 +127,7 @@ dissect/target/plugins/apps/browser/edge.py,sha256=woXzZtHPWmfcV8vbxGKHELKru5JRb
|
|
|
127
127
|
dissect/target/plugins/apps/browser/firefox.py,sha256=ROrzhI2SV81E63hi5PRtyJveRrBacWNJ9FWZS_ondlk,30929
|
|
128
128
|
dissect/target/plugins/apps/browser/iexplore.py,sha256=g_xw0toaiyjevxO8g9XPCOqc-CXZp39FVquRhPFGdTE,8801
|
|
129
129
|
dissect/target/plugins/apps/container/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
130
|
-
dissect/target/plugins/apps/container/docker.py,sha256=
|
|
130
|
+
dissect/target/plugins/apps/container/docker.py,sha256=KxQRbKGgxkf3YFBMa7fjeJ7qo8qjFys7zEmfQhDTnLw,15305
|
|
131
131
|
dissect/target/plugins/apps/remoteaccess/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
132
132
|
dissect/target/plugins/apps/remoteaccess/anydesk.py,sha256=lHtgINWXfVpPuCTRyQmT2ZO-1vkoqiXZ7coj8cZ8p4c,3185
|
|
133
133
|
dissect/target/plugins/apps/remoteaccess/remoteaccess.py,sha256=UQDmDC4Y-KxYl_8kaAh6SG_BLJZ6SeGnxG0gyD8tzaE,833
|
|
@@ -240,38 +240,38 @@ dissect/target/plugins/os/unix/linux/suse/__init__.py,sha256=47DEQpj8HBSa-_TImW-
|
|
|
240
240
|
dissect/target/plugins/os/unix/linux/suse/_os.py,sha256=eaqgnkbunBJ2Hf_GE96THjfT3ybVIZvtWId-dx3JMV4,575
|
|
241
241
|
dissect/target/plugins/os/unix/linux/suse/zypper.py,sha256=amepAWivvbHFt2AoJUHC8lIeuD5Iy8MFXTWKqTYAEqE,4142
|
|
242
242
|
dissect/target/plugins/os/unix/locate/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
243
|
-
dissect/target/plugins/os/unix/locate/gnulocate.py,sha256=
|
|
243
|
+
dissect/target/plugins/os/unix/locate/gnulocate.py,sha256=N5IF8fYsrKrWsJw8ZPC_Y4wiQqdchgOvKtv-E5-vLec,2922
|
|
244
244
|
dissect/target/plugins/os/unix/locate/locate.py,sha256=uXFcWAqoz_3eNWHhsGoEtkkhmT5J3F1GYvr4uQxi308,122
|
|
245
|
-
dissect/target/plugins/os/unix/locate/mlocate.py,sha256=
|
|
246
|
-
dissect/target/plugins/os/unix/locate/plocate.py,sha256=
|
|
245
|
+
dissect/target/plugins/os/unix/locate/mlocate.py,sha256=A8U3cqrA8fq8AV-4pkImjwdwQbWY-TspvRQS9bzZRLo,4477
|
|
246
|
+
dissect/target/plugins/os/unix/locate/plocate.py,sha256=PQ-nmpMex6POKEsyqppButAjVxR071urmGcFU1LUQdA,7219
|
|
247
247
|
dissect/target/plugins/os/unix/log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
248
|
-
dissect/target/plugins/os/unix/log/atop.py,sha256=
|
|
248
|
+
dissect/target/plugins/os/unix/log/atop.py,sha256=ljvGipVG16qTECnV1kIORykcGH9tTlpDmcMo5CXSPns,16332
|
|
249
249
|
dissect/target/plugins/os/unix/log/audit.py,sha256=OjorWTmCFvCI5RJq6m6WNW0Lhb-poB2VAggKOGZUHK4,3722
|
|
250
250
|
dissect/target/plugins/os/unix/log/auth.py,sha256=l7gCuRdvv9gL0U1N0yrR9hVsMnr4t_k4t-n-f6PrOxg,2388
|
|
251
|
-
dissect/target/plugins/os/unix/log/journal.py,sha256=
|
|
252
|
-
dissect/target/plugins/os/unix/log/lastlog.py,sha256=
|
|
251
|
+
dissect/target/plugins/os/unix/log/journal.py,sha256=auVRfrW4NRU7HguoDLTz4l_IwNdPZLPAqD7jhrOTzH8,17404
|
|
252
|
+
dissect/target/plugins/os/unix/log/lastlog.py,sha256=Wq89wRSFZSBsoKVCxjDofnC4yw9XJ4iOF0XJe9EucCo,2448
|
|
253
253
|
dissect/target/plugins/os/unix/log/messages.py,sha256=CXA-SkMPLaCgnTQg9nzII-7tO8Il_ENQmuYvDxo33rI,4698
|
|
254
|
-
dissect/target/plugins/os/unix/log/utmp.py,sha256=
|
|
254
|
+
dissect/target/plugins/os/unix/log/utmp.py,sha256=1nPHIaBUHt_9z6PDrvyqg4huKLihUaWLrMmgMsbaeIo,7755
|
|
255
255
|
dissect/target/plugins/os/windows/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
256
256
|
dissect/target/plugins/os/windows/_os.py,sha256=g5XGtruvyWx4YAhMpGZnAaIFWQqLNQpee_Ot7ROmD8w,12606
|
|
257
257
|
dissect/target/plugins/os/windows/activitiescache.py,sha256=Q2aILnhJ2rp2AwEbWwyBuSLjMbGqaYJTsavSbfkcFKE,6741
|
|
258
|
-
dissect/target/plugins/os/windows/adpolicy.py,sha256=
|
|
258
|
+
dissect/target/plugins/os/windows/adpolicy.py,sha256=fULRFO_I_QxAn6G9SCwlLL-TLVliS13JEGnGotf7lSA,6983
|
|
259
259
|
dissect/target/plugins/os/windows/amcache.py,sha256=ZZNOs3bILTf0AGkDkhoatndl0j39DXkstN7oOyxJECU,27188
|
|
260
260
|
dissect/target/plugins/os/windows/catroot.py,sha256=wHW_p4M0aFonZJ2xZFIbgLbJopdCIXO9jVrGPHLsMLc,11105
|
|
261
261
|
dissect/target/plugins/os/windows/cim.py,sha256=jsrpu6TZpBUh7VWI9AV2Ib5bebTwsvqOwRfa5gjJd7c,3056
|
|
262
262
|
dissect/target/plugins/os/windows/clfs.py,sha256=begVsZ-CY97Ksh6S1g03LjyBgu8ERY2hfNDWYPj0GXI,4872
|
|
263
|
-
dissect/target/plugins/os/windows/credhist.py,sha256=
|
|
264
|
-
dissect/target/plugins/os/windows/datetime.py,sha256=
|
|
265
|
-
dissect/target/plugins/os/windows/defender.py,sha256=
|
|
263
|
+
dissect/target/plugins/os/windows/credhist.py,sha256=YSjuyd53Augdy_lKKzZHtx5Ozt0HzF6LDYIOb-8P1Pw,7058
|
|
264
|
+
dissect/target/plugins/os/windows/datetime.py,sha256=YKHUZU6lkKJocq15y0yCwvIIOb1Ej-kfvEBmHbrdIGw,9467
|
|
265
|
+
dissect/target/plugins/os/windows/defender.py,sha256=lHHhyi8YqNTmBu3qbH7yskMAYcarYouPxKtBQLtXnnE,23713
|
|
266
266
|
dissect/target/plugins/os/windows/env.py,sha256=-u9F9xWy6PUbQmu5Tv_MDoVmy6YB-7CbHokIK_T3S44,13891
|
|
267
267
|
dissect/target/plugins/os/windows/generic.py,sha256=BSvDPfB9faU0uquMj0guw5tnR_97Nn0XAEE4k05BFSQ,22273
|
|
268
268
|
dissect/target/plugins/os/windows/lnk.py,sha256=On1k0PODYggQM1j514qFepBACCV2Z2u61Q4Ba6e3Y2c,8179
|
|
269
269
|
dissect/target/plugins/os/windows/locale.py,sha256=yXVdclpUqss9h8Nq7N4kg3OHwWGDfjdfiLiUZR3wqv8,2324
|
|
270
|
-
dissect/target/plugins/os/windows/notifications.py,sha256=
|
|
271
|
-
dissect/target/plugins/os/windows/prefetch.py,sha256=
|
|
272
|
-
dissect/target/plugins/os/windows/recyclebin.py,sha256=
|
|
270
|
+
dissect/target/plugins/os/windows/notifications.py,sha256=T1CIvQgpW__qDR0Rq5zpeWmRWwjNDpvdMnvJJ_6tZXs,17378
|
|
271
|
+
dissect/target/plugins/os/windows/prefetch.py,sha256=v4OgSKMwcihz0SOuA0o0Ec8wsAKuiuEmJolqZmHFgJA,10491
|
|
272
|
+
dissect/target/plugins/os/windows/recyclebin.py,sha256=zx58hDCvcrD_eJl9nJmr_i80krSN03ya8nQzWFr2Tw0,4917
|
|
273
273
|
dissect/target/plugins/os/windows/registry.py,sha256=EfqUkgbzaqTuq1kIPYNG1TfvJxhJE5X-TEjV3K_xsPU,12814
|
|
274
|
-
dissect/target/plugins/os/windows/sam.py,sha256=
|
|
274
|
+
dissect/target/plugins/os/windows/sam.py,sha256=NwKzfP_ae8SXgCoj_apa-29ZeFxeQsGidJ6llF1khP8,15468
|
|
275
275
|
dissect/target/plugins/os/windows/services.py,sha256=MoVPJ1GKpPaJrGd2DYtuHEmKqC2uOKRc5SZKB12goSs,6068
|
|
276
276
|
dissect/target/plugins/os/windows/sru.py,sha256=sOM7CyMkW8XIXzI75GL69WoqUrSK2X99TFIfdQR2D64,17767
|
|
277
277
|
dissect/target/plugins/os/windows/startupinfo.py,sha256=kl8Y7M4nVfmJ71I33VCegtbHj-ZOeEsYAdlNbgwtUOA,3406
|
|
@@ -281,10 +281,10 @@ dissect/target/plugins/os/windows/thumbcache.py,sha256=23YjOjTNoE7BYITmg8s9Zs8Wi
|
|
|
281
281
|
dissect/target/plugins/os/windows/ual.py,sha256=TYF-R46klEa_HHb86UJd6mPrXwHlAMOUTzC0pZ8uiq0,9787
|
|
282
282
|
dissect/target/plugins/os/windows/wer.py,sha256=ogecvKYxAvDXLptQj4cn0JLn1FxaXjeSuJWs4JgkoZs,8656
|
|
283
283
|
dissect/target/plugins/os/windows/dpapi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
284
|
-
dissect/target/plugins/os/windows/dpapi/blob.py,sha256=
|
|
284
|
+
dissect/target/plugins/os/windows/dpapi/blob.py,sha256=j3MMROXroes7pr_VLt8Xv6WEpv19hlgDpOxOJyZMRvo,5044
|
|
285
285
|
dissect/target/plugins/os/windows/dpapi/crypto.py,sha256=_F1F2j1chQw-KLqfWvgL2mCkF3HSvdVnM78OZ0ph9hc,9337
|
|
286
286
|
dissect/target/plugins/os/windows/dpapi/dpapi.py,sha256=NrLtx61m8PXsB3CzxUQgc1BKkaAVBOre1oEfGvqgtuw,7130
|
|
287
|
-
dissect/target/plugins/os/windows/dpapi/master_key.py,sha256=
|
|
287
|
+
dissect/target/plugins/os/windows/dpapi/master_key.py,sha256=oUuUfvMXmhRrgIs1CXTR6CdETKNYZwoStXSqtDdil78,6111
|
|
288
288
|
dissect/target/plugins/os/windows/exchange/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
289
289
|
dissect/target/plugins/os/windows/exchange/exchange.py,sha256=ofoapuDQXefIX4sTzwNboyk5RztN2JEyw1OWl5cx-wo,1564
|
|
290
290
|
dissect/target/plugins/os/windows/log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
@@ -297,24 +297,24 @@ dissect/target/plugins/os/windows/log/schedlgu.py,sha256=JaP8H8eTEypWXhx2aFSR_IM
|
|
|
297
297
|
dissect/target/plugins/os/windows/regf/7zip.py,sha256=Vc336zhS6R8W98GGlLtPJ_OR0vEP014QnBtYwbx_HUo,3217
|
|
298
298
|
dissect/target/plugins/os/windows/regf/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
299
299
|
dissect/target/plugins/os/windows/regf/appxdebugkeys.py,sha256=X8MYLcD76pIZoIWwS_DgUp6q6pi2WO7jhZeoc4uGLak,3966
|
|
300
|
-
dissect/target/plugins/os/windows/regf/auditpol.py,sha256=
|
|
301
|
-
dissect/target/plugins/os/windows/regf/bam.py,sha256=
|
|
302
|
-
dissect/target/plugins/os/windows/regf/cit.py,sha256=
|
|
300
|
+
dissect/target/plugins/os/windows/regf/auditpol.py,sha256=qAVYurAECRbTzopOgempCK2dOpeJ-a-pGNhHYJEtbP4,5149
|
|
301
|
+
dissect/target/plugins/os/windows/regf/bam.py,sha256=zS2vheHp4HEfrAhcIR06GoTq8Ofwhe3zd8uMPj7Y61Q,2076
|
|
302
|
+
dissect/target/plugins/os/windows/regf/cit.py,sha256=d8euaR9gyCZIQG8PwHEQR4_wB8l0ZUUUYYCQbHHfLzA,38238
|
|
303
303
|
dissect/target/plugins/os/windows/regf/clsid.py,sha256=M121yHQgRDSGtXeShiB-RUuk_toHOFHLYwbHAP9SS8U,3632
|
|
304
304
|
dissect/target/plugins/os/windows/regf/firewall.py,sha256=-RUFjY4D-ua72vyvOTJyg-MpUbk9Syfo4TfgA7bV7Us,3172
|
|
305
305
|
dissect/target/plugins/os/windows/regf/mru.py,sha256=HYg4UnbsjvzZKS9qcqxkocUeIGQieMLXPjkjgZ1qbTY,13560
|
|
306
306
|
dissect/target/plugins/os/windows/regf/muicache.py,sha256=-1IYfNpFjjk4WYyFUBJGLl7ahEGeUKqlaI1QwPNnfjA,3738
|
|
307
307
|
dissect/target/plugins/os/windows/regf/nethist.py,sha256=QHbG9fmZNmjSVhrgqMvMo12YBaQedzeToS7ZD9eIJ28,3111
|
|
308
|
-
dissect/target/plugins/os/windows/regf/recentfilecache.py,sha256=
|
|
308
|
+
dissect/target/plugins/os/windows/regf/recentfilecache.py,sha256=goS6ajLIh6ZU-Gq4tupoxBoQCfMDp2qJgg-Nn5qFIsY,1850
|
|
309
309
|
dissect/target/plugins/os/windows/regf/regf.py,sha256=D1GrljF-sV8cWIjWJ3zH7k52i1OWD8poEC_PIeZMEis,3419
|
|
310
310
|
dissect/target/plugins/os/windows/regf/runkeys.py,sha256=-2HcdnVytzCt1xwgAI8rHDnwk8kwLPWURumvhrGnIHU,4278
|
|
311
|
-
dissect/target/plugins/os/windows/regf/shellbags.py,sha256=
|
|
312
|
-
dissect/target/plugins/os/windows/regf/shimcache.py,sha256=
|
|
311
|
+
dissect/target/plugins/os/windows/regf/shellbags.py,sha256=t6874fvnZoQ05H0-G95-a8RpmCWjz0dli6hHGu5jBEQ,25615
|
|
312
|
+
dissect/target/plugins/os/windows/regf/shimcache.py,sha256=no78i0nxbnfgDJ5TpDZNAJggCigD_zLrXNYss7gdg2Q,9994
|
|
313
313
|
dissect/target/plugins/os/windows/regf/trusteddocs.py,sha256=3yvpBDM-Asg0rvGN2TwALGRm9DYogG6TxRau9D6FBbw,3700
|
|
314
314
|
dissect/target/plugins/os/windows/regf/usb.py,sha256=hR5fnqy_sint1YyWgm1-AMhGQ4MxJOH_Wz0vbYzr9p4,7213
|
|
315
|
-
dissect/target/plugins/os/windows/regf/userassist.py,sha256=
|
|
315
|
+
dissect/target/plugins/os/windows/regf/userassist.py,sha256=bSioEQdqUxdGwkdgMUfDIY2_pzrl9PdxPjmzmMaIwHs,5490
|
|
316
316
|
dissect/target/plugins/os/windows/task_helpers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
317
|
-
dissect/target/plugins/os/windows/task_helpers/tasks_job.py,sha256
|
|
317
|
+
dissect/target/plugins/os/windows/task_helpers/tasks_job.py,sha256=7w3UGOiTAUQkP3xQ3sj4X3MTgHUJmmfdgiEadWmYquI,21197
|
|
318
318
|
dissect/target/plugins/os/windows/task_helpers/tasks_records.py,sha256=vpCyKqLQSzI5ymD1h5P6RncLEE47YtmjDFwKA16dVZ4,4046
|
|
319
319
|
dissect/target/plugins/os/windows/task_helpers/tasks_xml.py,sha256=oOsYse2-BrliVQRXlHD1-89hsmNrJqg42DJy681AW0U,15268
|
|
320
320
|
dissect/target/tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
@@ -340,10 +340,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
|
|
|
340
340
|
dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
|
|
341
341
|
dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
|
|
342
342
|
dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
|
|
343
|
-
dissect.target-3.18.
|
|
344
|
-
dissect.target-3.18.
|
|
345
|
-
dissect.target-3.18.
|
|
346
|
-
dissect.target-3.18.
|
|
347
|
-
dissect.target-3.18.
|
|
348
|
-
dissect.target-3.18.
|
|
349
|
-
dissect.target-3.18.
|
|
343
|
+
dissect.target-3.18.dev7.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
|
|
344
|
+
dissect.target-3.18.dev7.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
|
|
345
|
+
dissect.target-3.18.dev7.dist-info/METADATA,sha256=QdjX1XeAbDN3B7UZr8WzmJzjVQzvv8GSxqOH-5LgBgg,12722
|
|
346
|
+
dissect.target-3.18.dev7.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
|
|
347
|
+
dissect.target-3.18.dev7.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
|
|
348
|
+
dissect.target-3.18.dev7.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
|
|
349
|
+
dissect.target-3.18.dev7.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|