dissect.target 3.18.dev6__py3-none-any.whl → 3.18.dev7__py3-none-any.whl
Sign up to get free protection for your applications and to get access to all the features.
- dissect/target/helpers/protobuf.py +6 -10
- dissect/target/helpers/ssh.py +3 -4
- dissect/target/plugins/apps/av/trendmicro.py +2 -3
- dissect/target/plugins/apps/container/docker.py +1 -1
- dissect/target/plugins/os/unix/locate/gnulocate.py +1 -2
- dissect/target/plugins/os/unix/locate/mlocate.py +3 -4
- dissect/target/plugins/os/unix/locate/plocate.py +1 -2
- dissect/target/plugins/os/unix/log/atop.py +3 -4
- dissect/target/plugins/os/unix/log/journal.py +5 -4
- dissect/target/plugins/os/unix/log/lastlog.py +2 -3
- dissect/target/plugins/os/unix/log/utmp.py +6 -7
- dissect/target/plugins/os/windows/adpolicy.py +3 -4
- dissect/target/plugins/os/windows/credhist.py +1 -2
- dissect/target/plugins/os/windows/datetime.py +3 -4
- dissect/target/plugins/os/windows/defender.py +3 -4
- dissect/target/plugins/os/windows/dpapi/blob.py +1 -2
- dissect/target/plugins/os/windows/dpapi/master_key.py +2 -3
- dissect/target/plugins/os/windows/notifications.py +1 -2
- dissect/target/plugins/os/windows/prefetch.py +26 -27
- dissect/target/plugins/os/windows/recyclebin.py +10 -8
- dissect/target/plugins/os/windows/regf/auditpol.py +4 -5
- dissect/target/plugins/os/windows/regf/bam.py +2 -3
- dissect/target/plugins/os/windows/regf/cit.py +1 -2
- dissect/target/plugins/os/windows/regf/recentfilecache.py +3 -4
- dissect/target/plugins/os/windows/regf/shellbags.py +1 -2
- dissect/target/plugins/os/windows/regf/shimcache.py +2 -3
- dissect/target/plugins/os/windows/regf/userassist.py +5 -6
- dissect/target/plugins/os/windows/sam.py +4 -5
- dissect/target/plugins/os/windows/task_helpers/tasks_job.py +3 -4
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/METADATA +49 -24
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/RECORD +36 -36
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/LICENSE +0 -0
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/WHEEL +0 -0
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.18.dev6.dist-info → dissect.target-3.18.dev7.dist-info}/top_level.txt +0 -0
|
@@ -3,30 +3,26 @@ from __future__ import annotations
|
|
|
3
3
|
from typing import Any, BinaryIO
|
|
4
4
|
|
|
5
5
|
from dissect.cstruct.types.base import BaseType
|
|
6
|
-
from dissect.cstruct.types.bytesinteger import BytesInteger
|
|
7
6
|
|
|
8
7
|
|
|
9
|
-
class ProtobufVarint(
|
|
8
|
+
class ProtobufVarint(BaseType):
|
|
10
9
|
"""Implements a protobuf integer type for dissect.cstruct that can span a variable amount of bytes.
|
|
11
10
|
|
|
12
|
-
|
|
13
|
-
to support protobuf's msb varint implementation.
|
|
11
|
+
Supports protobuf's msb varint implementation.
|
|
14
12
|
|
|
15
13
|
Resources:
|
|
16
14
|
- https://protobuf.dev/programming-guides/encoding/
|
|
17
15
|
- https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder.py
|
|
18
16
|
"""
|
|
19
17
|
|
|
20
|
-
|
|
18
|
+
@classmethod
|
|
19
|
+
def _read(cls, stream: BinaryIO, context: dict[str, Any] = None) -> int:
|
|
21
20
|
return decode_varint(stream)
|
|
22
21
|
|
|
23
|
-
|
|
22
|
+
@classmethod
|
|
23
|
+
def _write(cls, stream: BinaryIO, data: int) -> int:
|
|
24
24
|
return stream.write(encode_varint(data))
|
|
25
25
|
|
|
26
|
-
_read_array = BaseType._read_array
|
|
27
|
-
|
|
28
|
-
_write_array = BaseType._write_array
|
|
29
|
-
|
|
30
26
|
|
|
31
27
|
def decode_varint(stream: BinaryIO) -> int:
|
|
32
28
|
"""Reads a varint from the provided buffer stream.
|
dissect/target/helpers/ssh.py
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
import base64
|
|
2
2
|
import binascii
|
|
3
3
|
|
|
4
|
-
from dissect import cstruct
|
|
4
|
+
from dissect.cstruct import cstruct
|
|
5
5
|
|
|
6
|
-
|
|
6
|
+
rfc4716_def = """
|
|
7
7
|
struct ssh_string {
|
|
8
8
|
uint32 length;
|
|
9
9
|
char value[length];
|
|
@@ -23,8 +23,7 @@ struct ssh_private_key {
|
|
|
23
23
|
}
|
|
24
24
|
"""
|
|
25
25
|
|
|
26
|
-
c_rfc4716 = cstruct
|
|
27
|
-
c_rfc4716.load(c_rfc4716_def)
|
|
26
|
+
c_rfc4716 = cstruct(endian=">").load(rfc4716_def)
|
|
28
27
|
|
|
29
28
|
RFC4716_MARKER_START = b"-----BEGIN OPENSSH PRIVATE KEY-----"
|
|
30
29
|
RFC4716_MARKER_END = b"-----END OPENSSH PRIVATE KEY-----"
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
from typing import Iterator
|
|
2
2
|
|
|
3
|
-
from dissect import cstruct
|
|
3
|
+
from dissect.cstruct import cstruct
|
|
4
4
|
from dissect.util.ts import from_unix
|
|
5
5
|
|
|
6
6
|
from dissect.target import Target
|
|
@@ -47,8 +47,7 @@ struct firewall_entry {
|
|
|
47
47
|
char _pad3[10];
|
|
48
48
|
};
|
|
49
49
|
"""
|
|
50
|
-
c_pfwlog = cstruct.
|
|
51
|
-
c_pfwlog.load(pfwlog_def)
|
|
50
|
+
c_pfwlog = cstruct().load(pfwlog_def)
|
|
52
51
|
|
|
53
52
|
|
|
54
53
|
class TrendMicroPlugin(Plugin):
|
|
@@ -88,7 +88,7 @@ struct entry {
|
|
|
88
88
|
"""
|
|
89
89
|
|
|
90
90
|
c_local = cstruct(endian=">")
|
|
91
|
-
c_local.
|
|
91
|
+
c_local.add_custom_type("varint", ProtobufVarint, size=None, alignment=1, signed=False)
|
|
92
92
|
c_local.load(local_def, compiled=False)
|
|
93
93
|
|
|
94
94
|
RE_DOCKER_NS = re.compile(r"\.(?P<nanoseconds>\d{7,})(?P<postfix>Z|\+\d{2}:\d{2})")
|
|
@@ -20,10 +20,10 @@ struct header_config {
|
|
|
20
20
|
int32 conf_size;
|
|
21
21
|
int8 version; /* file format version */
|
|
22
22
|
int8 require_visibility;
|
|
23
|
-
int8
|
|
23
|
+
int8 pad0[2]; /* 32-bit total alignment */
|
|
24
24
|
char root_database;
|
|
25
25
|
char config_block[conf_size];
|
|
26
|
-
int8
|
|
26
|
+
int8 pad1;
|
|
27
27
|
};
|
|
28
28
|
|
|
29
29
|
enum DBE_TYPE: uint8 { /* database entry type */
|
|
@@ -68,8 +68,7 @@ MLocateRecord = TargetRecordDescriptor(
|
|
|
68
68
|
],
|
|
69
69
|
)
|
|
70
70
|
|
|
71
|
-
c_mlocate = cstruct(endian=">")
|
|
72
|
-
c_mlocate.load(mlocate_def)
|
|
71
|
+
c_mlocate = cstruct(endian=">").load(mlocate_def)
|
|
73
72
|
|
|
74
73
|
|
|
75
74
|
class MLocateFile:
|
|
@@ -2,7 +2,7 @@ import zlib
|
|
|
2
2
|
from io import BytesIO
|
|
3
3
|
from typing import BinaryIO, Iterator
|
|
4
4
|
|
|
5
|
-
from dissect.cstruct import
|
|
5
|
+
from dissect.cstruct import cstruct
|
|
6
6
|
|
|
7
7
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
8
8
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
@@ -178,8 +178,7 @@ struct tstat {
|
|
|
178
178
|
};
|
|
179
179
|
""" # noqa: E501
|
|
180
180
|
|
|
181
|
-
c_atop = cstruct()
|
|
182
|
-
c_atop.load(atop_def)
|
|
181
|
+
c_atop = cstruct().load(atop_def)
|
|
183
182
|
c_atop.load(atop_tstat_def, align=True)
|
|
184
183
|
|
|
185
184
|
AtopRecord = TargetRecordDescriptor(
|
|
@@ -226,7 +225,7 @@ class AtopFile:
|
|
|
226
225
|
self.header = c_atop.rawheader(self.fh)
|
|
227
226
|
self.version = self.version()
|
|
228
227
|
|
|
229
|
-
def __iter__(self) -> Iterator[
|
|
228
|
+
def __iter__(self) -> Iterator[c_atop.tstat]:
|
|
230
229
|
while True:
|
|
231
230
|
try:
|
|
232
231
|
record = c_atop.rawrecord(self.fh)
|
|
@@ -1,8 +1,10 @@
|
|
|
1
|
+
from __future__ import annotations
|
|
2
|
+
|
|
1
3
|
import lzma
|
|
2
4
|
from typing import BinaryIO, Callable, Iterator
|
|
3
5
|
|
|
4
6
|
import zstandard
|
|
5
|
-
from dissect.cstruct import
|
|
7
|
+
from dissect.cstruct import cstruct
|
|
6
8
|
from dissect.util import ts
|
|
7
9
|
from dissect.util.compression import lz4
|
|
8
10
|
|
|
@@ -252,8 +254,7 @@ struct EntryArrayObject_Compact {
|
|
|
252
254
|
};
|
|
253
255
|
""" # noqa: E501
|
|
254
256
|
|
|
255
|
-
c_journal = cstruct()
|
|
256
|
-
c_journal.load(journal_def)
|
|
257
|
+
c_journal = cstruct().load(journal_def)
|
|
257
258
|
|
|
258
259
|
|
|
259
260
|
def get_optional(value: str, to_type: Callable):
|
|
@@ -314,7 +315,7 @@ class JournalFile:
|
|
|
314
315
|
|
|
315
316
|
return key, value
|
|
316
317
|
|
|
317
|
-
def __iter__(self) -> Iterator[
|
|
318
|
+
def __iter__(self) -> Iterator[dict[str, int | str]]:
|
|
318
319
|
"Iterate over the entry objects to read payloads."
|
|
319
320
|
|
|
320
321
|
for offset in self.entry_object_offsets():
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
from typing import BinaryIO
|
|
2
2
|
|
|
3
|
-
from dissect import cstruct
|
|
3
|
+
from dissect.cstruct import cstruct
|
|
4
4
|
from dissect.util import ts
|
|
5
5
|
|
|
6
6
|
from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
|
|
@@ -36,8 +36,7 @@ struct entry {
|
|
|
36
36
|
};
|
|
37
37
|
"""
|
|
38
38
|
|
|
39
|
-
c_lastlog = cstruct.
|
|
40
|
-
c_lastlog.load(lastlog_def)
|
|
39
|
+
c_lastlog = cstruct().load(lastlog_def)
|
|
41
40
|
|
|
42
41
|
|
|
43
42
|
class LastLogFile:
|
|
@@ -39,14 +39,14 @@ WtmpRecord = TargetRecordDescriptor(
|
|
|
39
39
|
],
|
|
40
40
|
)
|
|
41
41
|
|
|
42
|
-
|
|
42
|
+
utmp_def = """
|
|
43
43
|
#define UT_LINESIZE 32
|
|
44
44
|
#define UT_NAMESIZE 32
|
|
45
45
|
#define UT_HOSTSIZE 256
|
|
46
46
|
|
|
47
47
|
typedef uint32 pid_t;
|
|
48
48
|
|
|
49
|
-
enum Type :
|
|
49
|
+
enum Type : uint8_t {
|
|
50
50
|
EMPTY = 0x0,
|
|
51
51
|
RUN_LVL = 0x1,
|
|
52
52
|
BOOT_TIME = 0x2,
|
|
@@ -84,8 +84,7 @@ struct entry {
|
|
|
84
84
|
};
|
|
85
85
|
""" # noqa: E501
|
|
86
86
|
|
|
87
|
-
|
|
88
|
-
utmp.load(c_utmp)
|
|
87
|
+
c_utmp = cstruct().load(utmp_def)
|
|
89
88
|
|
|
90
89
|
UTMP_ENTRY = namedtuple(
|
|
91
90
|
"UTMPRecord",
|
|
@@ -122,11 +121,11 @@ class UtmpFile:
|
|
|
122
121
|
|
|
123
122
|
while True:
|
|
124
123
|
try:
|
|
125
|
-
entry =
|
|
124
|
+
entry = c_utmp.entry(byte_stream)
|
|
126
125
|
|
|
127
126
|
r_type = ""
|
|
128
|
-
if entry.ut_type in
|
|
129
|
-
r_type =
|
|
127
|
+
if entry.ut_type in c_utmp.Type:
|
|
128
|
+
r_type = c_utmp.Type(entry.ut_type).name
|
|
130
129
|
|
|
131
130
|
ut_host = entry.ut_host.decode(errors="surrogateescape").strip("\x00")
|
|
132
131
|
ut_addr = None
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
from struct import unpack
|
|
2
2
|
|
|
3
3
|
from defusedxml import ElementTree
|
|
4
|
-
from dissect import cstruct
|
|
4
|
+
from dissect.cstruct import cstruct
|
|
5
5
|
from dissect.regf.c_regf import (
|
|
6
6
|
REG_BINARY,
|
|
7
7
|
REG_DWORD,
|
|
@@ -18,14 +18,13 @@ from dissect.target.exceptions import UnsupportedPluginError
|
|
|
18
18
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
19
19
|
from dissect.target.plugin import Plugin, export
|
|
20
20
|
|
|
21
|
-
|
|
21
|
+
policy_def = """
|
|
22
22
|
struct registry_policy_header {
|
|
23
23
|
uint32 signature;
|
|
24
24
|
uint32 version;
|
|
25
25
|
};
|
|
26
26
|
"""
|
|
27
|
-
c_adpolicy = cstruct.
|
|
28
|
-
c_adpolicy.load(c_def)
|
|
27
|
+
c_adpolicy = cstruct().load(policy_def)
|
|
29
28
|
|
|
30
29
|
ADPolicyRecord = TargetRecordDescriptor(
|
|
31
30
|
"windows/adpolicy",
|
|
@@ -3,7 +3,7 @@ from collections import namedtuple
|
|
|
3
3
|
from datetime import datetime, timedelta, timezone, tzinfo
|
|
4
4
|
from typing import Dict, Tuple
|
|
5
5
|
|
|
6
|
-
from dissect import cstruct
|
|
6
|
+
from dissect.cstruct import cstruct
|
|
7
7
|
|
|
8
8
|
from dissect.target.exceptions import (
|
|
9
9
|
RegistryError,
|
|
@@ -34,8 +34,7 @@ typedef struct _REG_TZI_FORMAT {
|
|
|
34
34
|
SYSTEMTIME DaylightDate;
|
|
35
35
|
} REG_TZI_FORMAT;
|
|
36
36
|
"""
|
|
37
|
-
c_tz = cstruct.
|
|
38
|
-
c_tz.load(tz_def)
|
|
37
|
+
c_tz = cstruct().load(tz_def)
|
|
39
38
|
|
|
40
39
|
|
|
41
40
|
# Althoug calendar.SUNDAY is only officially documented since Python 3.10, it
|
|
@@ -63,7 +62,7 @@ ZERO = timedelta(0)
|
|
|
63
62
|
HOUR = timedelta(hours=1)
|
|
64
63
|
|
|
65
64
|
|
|
66
|
-
def parse_systemtime_transition(systemtime:
|
|
65
|
+
def parse_systemtime_transition(systemtime: c_tz._SYSTEMTIME, year: int) -> datetime:
|
|
67
66
|
"""Return the transition datetime for a given year using the SYSTEMTIME of a STD or DST transition date.
|
|
68
67
|
|
|
69
68
|
The SYSTEMTIME date of a TZI structure needs to be used to calculate the actual date for a given year.
|
|
@@ -237,8 +237,7 @@ struct QuarantineEntryResourceField {
|
|
|
237
237
|
};
|
|
238
238
|
"""
|
|
239
239
|
|
|
240
|
-
c_defender = cstruct()
|
|
241
|
-
c_defender.load(defender_def)
|
|
240
|
+
c_defender = cstruct().load(defender_def)
|
|
242
241
|
|
|
243
242
|
STREAM_ID = c_defender.STREAM_ID
|
|
244
243
|
STREAM_ATTRIBUTES = c_defender.STREAM_ATTRIBUTES
|
|
@@ -381,7 +380,7 @@ class QuarantineEntryResource:
|
|
|
381
380
|
self.last_access_time = ts.wintimestamp(int.from_bytes(field.Data, "little"))
|
|
382
381
|
elif field.Identifier == FIELD_IDENTIFIER.LastWriteTime:
|
|
383
382
|
self.last_write_time = ts.wintimestamp(int.from_bytes(field.Data, "little"))
|
|
384
|
-
elif field.Identifier not in FIELD_IDENTIFIER
|
|
383
|
+
elif field.Identifier not in FIELD_IDENTIFIER:
|
|
385
384
|
self.unknown_fields.append(field)
|
|
386
385
|
|
|
387
386
|
|
|
@@ -526,7 +525,7 @@ class MicrosoftDefenderPlugin(plugin.Plugin):
|
|
|
526
525
|
subdir = resource.resource_id[0:2]
|
|
527
526
|
resourcedata_location = resourcedata_directory.joinpath(subdir).joinpath(resource.resource_id)
|
|
528
527
|
if not resourcedata_location.exists():
|
|
529
|
-
self.target.log.warning(f"Could not find a ResourceData file for {
|
|
528
|
+
self.target.log.warning(f"Could not find a ResourceData file for {resource.resource_id}.")
|
|
530
529
|
continue
|
|
531
530
|
if not resourcedata_location.is_file():
|
|
532
531
|
self.target.log.warning(f"{resourcedata_location} is not a file!")
|
|
@@ -29,7 +29,7 @@ struct DomainKey {
|
|
|
29
29
|
DWORD accessCheckLen;
|
|
30
30
|
char guid[16];
|
|
31
31
|
char encryptedSecret[secretLen];
|
|
32
|
-
char
|
|
32
|
+
char accessCheck[accessCheckLen];
|
|
33
33
|
};
|
|
34
34
|
|
|
35
35
|
struct CredHist {
|
|
@@ -66,8 +66,7 @@ struct MasterKeyFileHeader {
|
|
|
66
66
|
QWORD qwDomainKeySize;
|
|
67
67
|
};
|
|
68
68
|
"""
|
|
69
|
-
c_master_key = cstruct()
|
|
70
|
-
c_master_key.load(master_key_def)
|
|
69
|
+
c_master_key = cstruct().load(master_key_def)
|
|
71
70
|
|
|
72
71
|
|
|
73
72
|
class MasterKey:
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
from io import BytesIO
|
|
2
2
|
|
|
3
|
-
from dissect import cstruct
|
|
3
|
+
from dissect.cstruct import cstruct
|
|
4
4
|
from dissect.util import lzxpress_huffman
|
|
5
5
|
from dissect.util.ts import wintimestamp
|
|
6
6
|
|
|
@@ -33,7 +33,7 @@ GroupedPrefetchRecord = TargetRecordDescriptor(
|
|
|
33
33
|
)
|
|
34
34
|
|
|
35
35
|
|
|
36
|
-
|
|
36
|
+
prefetch_def = """
|
|
37
37
|
struct PREFETCH_HEADER_DETECT {
|
|
38
38
|
char signature[4];
|
|
39
39
|
uint32 size;
|
|
@@ -59,14 +59,14 @@ c_prefetch = """
|
|
|
59
59
|
uint32 volumes_information_offset;
|
|
60
60
|
uint32 number_of_volumes;
|
|
61
61
|
uint32 volumes_information_size;
|
|
62
|
-
uint32
|
|
62
|
+
uint32 unknown0[2];
|
|
63
63
|
uint64 last_run_time;
|
|
64
64
|
uint64 last_run_remains[7];
|
|
65
|
-
uint64
|
|
65
|
+
uint64 unknown1[2];
|
|
66
66
|
uint32 run_count;
|
|
67
|
-
uint32
|
|
68
|
-
uint32
|
|
69
|
-
char
|
|
67
|
+
uint32 unknown2;
|
|
68
|
+
uint32 unknown3;
|
|
69
|
+
char unknown4[88];
|
|
70
70
|
};
|
|
71
71
|
|
|
72
72
|
struct FILE_INFORMATION_17 {
|
|
@@ -80,9 +80,9 @@ c_prefetch = """
|
|
|
80
80
|
uint32 number_of_volumes;
|
|
81
81
|
uint32 volumes_information_size;
|
|
82
82
|
uint32 last_run_time;
|
|
83
|
-
uint32
|
|
83
|
+
uint32 unknown0;
|
|
84
84
|
uint32 run_count;
|
|
85
|
-
uint32
|
|
85
|
+
uint32 unknown1;
|
|
86
86
|
};
|
|
87
87
|
|
|
88
88
|
struct FILE_INFORMATION_23 {
|
|
@@ -99,9 +99,9 @@ c_prefetch = """
|
|
|
99
99
|
uint64 last_run_time;
|
|
100
100
|
uint64 last_run_remains[2];
|
|
101
101
|
uint32 run_count;
|
|
102
|
-
uint32
|
|
103
|
-
uint32
|
|
104
|
-
char
|
|
102
|
+
uint32 unknown0;
|
|
103
|
+
uint32 unknown1;
|
|
104
|
+
char unknown2[80];
|
|
105
105
|
};
|
|
106
106
|
|
|
107
107
|
struct VOLUME_INFORMATION_17 {
|
|
@@ -125,19 +125,19 @@ c_prefetch = """
|
|
|
125
125
|
uint32 file_reference_size;
|
|
126
126
|
uint32 directory_strings_array_offset;
|
|
127
127
|
uint32 number_of_directory_strings;
|
|
128
|
-
char
|
|
129
|
-
char
|
|
130
|
-
char
|
|
131
|
-
char
|
|
132
|
-
char
|
|
128
|
+
char unknown0[4];
|
|
129
|
+
char unknown1[24];
|
|
130
|
+
char unknown2[4];
|
|
131
|
+
char unknown3[24];
|
|
132
|
+
char unknown4[4];
|
|
133
133
|
};
|
|
134
134
|
|
|
135
135
|
struct TRACE_CHAIN_ARRAY_ENTRY_17 {
|
|
136
136
|
uint32 next_array_entry_index;
|
|
137
137
|
uint32 total_block_load_count;
|
|
138
|
-
uint32
|
|
139
|
-
uint32
|
|
140
|
-
uint32
|
|
138
|
+
uint32 unknown0;
|
|
139
|
+
uint32 unknown1;
|
|
140
|
+
uint32 unknown2;
|
|
141
141
|
};
|
|
142
142
|
|
|
143
143
|
struct FILE_METRICS_ARRAY_ENTRY_17 {
|
|
@@ -158,25 +158,24 @@ c_prefetch = """
|
|
|
158
158
|
uint64 ntfs_reference;
|
|
159
159
|
};
|
|
160
160
|
"""
|
|
161
|
-
|
|
162
|
-
prefetch.load(c_prefetch)
|
|
161
|
+
c_prefetch = cstruct().load(prefetch_def)
|
|
163
162
|
|
|
164
163
|
prefetch_version_structs = {
|
|
165
|
-
17: (
|
|
166
|
-
23: (
|
|
167
|
-
30: (
|
|
164
|
+
17: (c_prefetch.FILE_INFORMATION_17, c_prefetch.FILE_METRICS_ARRAY_ENTRY_17),
|
|
165
|
+
23: (c_prefetch.FILE_INFORMATION_23, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
|
|
166
|
+
30: (c_prefetch.FILE_INFORMATION_26, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
|
|
168
167
|
}
|
|
169
168
|
|
|
170
169
|
|
|
171
170
|
class Prefetch:
|
|
172
171
|
def __init__(self, fh):
|
|
173
|
-
header_detect =
|
|
172
|
+
header_detect = c_prefetch.PREFETCH_HEADER_DETECT(fh.read(8))
|
|
174
173
|
if header_detect.signature == b"MAM\x04":
|
|
175
174
|
fh = BytesIO(lzxpress_huffman.decompress(fh))
|
|
176
175
|
|
|
177
176
|
self.fh = fh
|
|
178
177
|
self.fh.seek(0)
|
|
179
|
-
self.header =
|
|
178
|
+
self.header = c_prefetch.PREFETCH_HEADER(self.fh)
|
|
180
179
|
self.version = self.identify()
|
|
181
180
|
self.volumes = None
|
|
182
181
|
self.metrics = None
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
+
from __future__ import annotations
|
|
2
|
+
|
|
1
3
|
from typing import Generator
|
|
2
4
|
|
|
3
|
-
from dissect import cstruct
|
|
5
|
+
from dissect.cstruct import cstruct
|
|
4
6
|
from dissect.util.ts import wintimestamp
|
|
5
7
|
|
|
6
8
|
from dissect.target import Target
|
|
@@ -21,7 +23,7 @@ RecycleBinRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
|
|
|
21
23
|
],
|
|
22
24
|
)
|
|
23
25
|
|
|
24
|
-
|
|
26
|
+
recyclebin_def = """
|
|
25
27
|
struct header_v1 {
|
|
26
28
|
int64 version;
|
|
27
29
|
int64 file_size;
|
|
@@ -37,14 +39,14 @@ struct header_v2 {
|
|
|
37
39
|
};
|
|
38
40
|
"""
|
|
39
41
|
|
|
42
|
+
c_recyclebin = cstruct().load(recyclebin_def)
|
|
43
|
+
|
|
40
44
|
|
|
41
45
|
class RecyclebinPlugin(Plugin):
|
|
42
46
|
"""Recyclebin plugin."""
|
|
43
47
|
|
|
44
48
|
def __init__(self, target: Target) -> None:
|
|
45
49
|
super().__init__(target)
|
|
46
|
-
self.recyclebin_parser = cstruct.cstruct()
|
|
47
|
-
self.recyclebin_parser.load(c_recyclebin_i)
|
|
48
50
|
|
|
49
51
|
def check_compatible(self) -> None:
|
|
50
52
|
for fs_entry in self.target.fs.path("/").iterdir():
|
|
@@ -131,11 +133,11 @@ class RecyclebinPlugin(Plugin):
|
|
|
131
133
|
return "unknown"
|
|
132
134
|
return parent_path.name
|
|
133
135
|
|
|
134
|
-
def select_header(self, data: bytes) ->
|
|
136
|
+
def select_header(self, data: bytes) -> c_recyclebin.header_v1 | c_recyclebin.header_v2:
|
|
135
137
|
"""Selects the correct header based on the version field in the header"""
|
|
136
138
|
|
|
137
|
-
header_version =
|
|
139
|
+
header_version = c_recyclebin.uint64(data[:8])
|
|
138
140
|
if header_version == 2:
|
|
139
|
-
return
|
|
141
|
+
return c_recyclebin.header_v2
|
|
140
142
|
else:
|
|
141
|
-
return
|
|
143
|
+
return c_recyclebin.header_v1
|
|
@@ -1,14 +1,12 @@
|
|
|
1
1
|
import io
|
|
2
2
|
|
|
3
|
-
from dissect import cstruct
|
|
3
|
+
from dissect.cstruct import cstruct
|
|
4
4
|
|
|
5
5
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
6
6
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
7
7
|
from dissect.target.plugin import Plugin, export
|
|
8
8
|
|
|
9
|
-
|
|
10
|
-
c_adtev.load(
|
|
11
|
-
"""
|
|
9
|
+
adtev_def = """
|
|
12
10
|
struct header {
|
|
13
11
|
uint16 unk0;
|
|
14
12
|
uint16 unk1;
|
|
@@ -18,7 +16,8 @@ struct header {
|
|
|
18
16
|
uint16 unk3;
|
|
19
17
|
};
|
|
20
18
|
"""
|
|
21
|
-
|
|
19
|
+
|
|
20
|
+
c_adtev = cstruct().load(adtev_def)
|
|
22
21
|
|
|
23
22
|
POLICY_CATEGORIES = [
|
|
24
23
|
"System",
|
|
@@ -5,13 +5,12 @@ from dissect.target.exceptions import UnsupportedPluginError
|
|
|
5
5
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
6
6
|
from dissect.target.plugin import Plugin, export
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
bam_def = """
|
|
9
9
|
struct entry {
|
|
10
10
|
uint64 ts;
|
|
11
11
|
};
|
|
12
12
|
"""
|
|
13
|
-
c_bam = cstruct()
|
|
14
|
-
c_bam.load(c_bamdef)
|
|
13
|
+
c_bam = cstruct().load(bam_def)
|
|
15
14
|
|
|
16
15
|
BamDamRecord = TargetRecordDescriptor(
|
|
17
16
|
"windows/registry/bam",
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
from dissect import cstruct
|
|
1
|
+
from dissect.cstruct import cstruct
|
|
2
2
|
|
|
3
3
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
4
4
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
5
5
|
from dissect.target.plugin import Plugin, export
|
|
6
6
|
|
|
7
|
-
|
|
7
|
+
recent_files_def = """
|
|
8
8
|
struct header {
|
|
9
9
|
uint32 magic;
|
|
10
10
|
uint32 unk0;
|
|
@@ -18,8 +18,7 @@ c_recent_files_def = """
|
|
|
18
18
|
wchar path[length + 1];
|
|
19
19
|
};
|
|
20
20
|
"""
|
|
21
|
-
c_recent_files = cstruct.
|
|
22
|
-
c_recent_files.load(c_recent_files_def)
|
|
21
|
+
c_recent_files = cstruct().load(recent_files_def)
|
|
23
22
|
|
|
24
23
|
RecentFileCacheRecord = TargetRecordDescriptor(
|
|
25
24
|
"windows/recentfilecache",
|
|
@@ -243,8 +243,7 @@ struct EXTENSION_BLOCK_HEADER {
|
|
|
243
243
|
uint32 signature;
|
|
244
244
|
};
|
|
245
245
|
"""
|
|
246
|
-
c_bag = cstruct()
|
|
247
|
-
c_bag.load(bag_def)
|
|
246
|
+
c_bag = cstruct().load(bag_def)
|
|
248
247
|
|
|
249
248
|
DELEGATE_ITEM_IDENTIFIER = b"\x74\x1a\x59\x5e\x96\xdf\xd3\x48\x8d\x67\x17\x33\xbc\xee\x28\xba"
|
|
250
249
|
|
|
@@ -21,7 +21,7 @@ ShimcacheRecord = TargetRecordDescriptor(
|
|
|
21
21
|
],
|
|
22
22
|
)
|
|
23
23
|
|
|
24
|
-
|
|
24
|
+
shim_def = """
|
|
25
25
|
struct NT61_HEADER {
|
|
26
26
|
uint32 magic;
|
|
27
27
|
uint32 num_entries;
|
|
@@ -99,8 +99,7 @@ struct WIN10_ENTRY_DATA {
|
|
|
99
99
|
uint64 ts;
|
|
100
100
|
};
|
|
101
101
|
"""
|
|
102
|
-
c_shim = cstruct()
|
|
103
|
-
c_shim.load(c_shimdef)
|
|
102
|
+
c_shim = cstruct().load(shim_def)
|
|
104
103
|
|
|
105
104
|
MAGIC_NT61 = 0xBADC0FEE
|
|
106
105
|
MAGIC_NT52 = 0xBADC0FFE
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import codecs
|
|
2
2
|
|
|
3
|
-
from dissect import cstruct
|
|
3
|
+
from dissect.cstruct import cstruct
|
|
4
4
|
from dissect.util.ts import wintimestamp
|
|
5
5
|
|
|
6
6
|
from dissect.target.exceptions import RegistryValueNotFoundError, UnsupportedPluginError
|
|
@@ -14,13 +14,13 @@ from dissect.target.plugin import Plugin, export
|
|
|
14
14
|
|
|
15
15
|
userassist_def = """
|
|
16
16
|
struct VERSION5_ENTRY {
|
|
17
|
-
char
|
|
17
|
+
char padding0[4];
|
|
18
18
|
uint32 number_of_executions;
|
|
19
19
|
uint32 application_focus_count;
|
|
20
20
|
uint32 application_focus_duration;
|
|
21
|
-
char
|
|
21
|
+
char padding1[44];
|
|
22
22
|
uint64 timestamp;
|
|
23
|
-
char
|
|
23
|
+
char padding2[4];
|
|
24
24
|
};
|
|
25
25
|
|
|
26
26
|
struct VERSION3_ENTRY {
|
|
@@ -29,8 +29,7 @@ struct VERSION3_ENTRY {
|
|
|
29
29
|
uint64 timestamp;
|
|
30
30
|
};
|
|
31
31
|
"""
|
|
32
|
-
c_userassist = cstruct.
|
|
33
|
-
c_userassist.load(userassist_def)
|
|
32
|
+
c_userassist = cstruct().load(userassist_def)
|
|
34
33
|
|
|
35
34
|
UserAssistRecordDescriptor = create_extended_descriptor(
|
|
36
35
|
[
|
|
@@ -9,14 +9,14 @@ try:
|
|
|
9
9
|
except ImportError:
|
|
10
10
|
HAS_CRYPTO = False
|
|
11
11
|
|
|
12
|
-
from dissect import cstruct
|
|
12
|
+
from dissect.cstruct import cstruct
|
|
13
13
|
from dissect.util import ts
|
|
14
14
|
|
|
15
15
|
from dissect.target.exceptions import UnsupportedPluginError
|
|
16
16
|
from dissect.target.helpers.record import TargetRecordDescriptor
|
|
17
17
|
from dissect.target.plugin import Plugin, export
|
|
18
18
|
|
|
19
|
-
|
|
19
|
+
sam_def = """
|
|
20
20
|
struct user_F {
|
|
21
21
|
char unknown1[8];
|
|
22
22
|
uint64 t_last_login; /* Time of last login */
|
|
@@ -166,7 +166,7 @@ struct DOMAIN_ACCOUNT_F {
|
|
|
166
166
|
uint16 min_password_length; /* 0x50 */
|
|
167
167
|
uint16 password_history_length; /* 0x52 */
|
|
168
168
|
uint16 lockout_threshold; /* 0x54 */
|
|
169
|
-
uint16
|
|
169
|
+
uint16 unknown1_3; /* 0x56 */
|
|
170
170
|
uint32 server_state; /* 0x58 */
|
|
171
171
|
uint16 server_role; /* 0x5c */
|
|
172
172
|
uint16 uas_compability_required; /* 0x5e */
|
|
@@ -207,8 +207,7 @@ struct SAM_HASH_AES { /* size: >=24 */
|
|
|
207
207
|
};
|
|
208
208
|
"""
|
|
209
209
|
|
|
210
|
-
c_sam = cstruct.
|
|
211
|
-
c_sam.load(c_sam_def)
|
|
210
|
+
c_sam = cstruct().load(sam_def)
|
|
212
211
|
|
|
213
212
|
SamRecord = TargetRecordDescriptor(
|
|
214
213
|
"windows/registry/sam",
|
|
@@ -2,7 +2,7 @@ import datetime
|
|
|
2
2
|
import warnings
|
|
3
3
|
from typing import Iterator, Optional
|
|
4
4
|
|
|
5
|
-
from dissect import cstruct
|
|
5
|
+
from dissect.cstruct import cstruct
|
|
6
6
|
from flow.record import GroupedRecord
|
|
7
7
|
|
|
8
8
|
from dissect.target.exceptions import InvalidTaskError
|
|
@@ -135,8 +135,7 @@ struct ATJOB_DATA {
|
|
|
135
135
|
// uint8 job_signature[64 * s_ver * c_ver]; /* - calculated job signature. */
|
|
136
136
|
};
|
|
137
137
|
"""
|
|
138
|
-
|
|
139
|
-
atjob.load(atjob_def)
|
|
138
|
+
c_atjob = cstruct().load(atjob_def)
|
|
140
139
|
|
|
141
140
|
|
|
142
141
|
class AtTask:
|
|
@@ -149,7 +148,7 @@ class AtTask:
|
|
|
149
148
|
|
|
150
149
|
def __init__(self, job_file: TargetPath, target: Target):
|
|
151
150
|
try:
|
|
152
|
-
self.at_data =
|
|
151
|
+
self.at_data = c_atjob.ATJOB_DATA(job_file.open())
|
|
153
152
|
except Exception as e:
|
|
154
153
|
raise InvalidTaskError(e)
|
|
155
154
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: dissect.target
|
|
3
|
-
Version: 3.18.
|
|
3
|
+
Version: 3.18.dev7
|
|
4
4
|
Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
|
|
5
5
|
Author-email: Dissect Team <dissect@fox-it.com>
|
|
6
6
|
License: Affero General Public License v3
|
|
@@ -23,36 +23,61 @@ Description-Content-Type: text/markdown
|
|
|
23
23
|
License-File: LICENSE
|
|
24
24
|
License-File: COPYRIGHT
|
|
25
25
|
Requires-Dist: defusedxml
|
|
26
|
-
Requires-Dist: dissect.cstruct <4.
|
|
27
|
-
Requires-Dist: dissect.eventlog <4
|
|
28
|
-
Requires-Dist: dissect.evidence <4
|
|
29
|
-
Requires-Dist: dissect.hypervisor <4
|
|
30
|
-
Requires-Dist: dissect.ntfs <4
|
|
31
|
-
Requires-Dist: dissect.regf <4
|
|
32
|
-
Requires-Dist: dissect.util <4
|
|
33
|
-
Requires-Dist: dissect.volume <4
|
|
26
|
+
Requires-Dist: dissect.cstruct <5,>=4.dev
|
|
27
|
+
Requires-Dist: dissect.eventlog <4,>=3
|
|
28
|
+
Requires-Dist: dissect.evidence <4,>=3
|
|
29
|
+
Requires-Dist: dissect.hypervisor <4,>=3
|
|
30
|
+
Requires-Dist: dissect.ntfs <4,>=3.4
|
|
31
|
+
Requires-Dist: dissect.regf <4,>=3.3
|
|
32
|
+
Requires-Dist: dissect.util <4,>=3
|
|
33
|
+
Requires-Dist: dissect.volume <4,>=2
|
|
34
34
|
Requires-Dist: flow.record ~=3.15.0
|
|
35
35
|
Requires-Dist: structlog
|
|
36
36
|
Provides-Extra: cb
|
|
37
37
|
Requires-Dist: dissect.target[full] ; extra == 'cb'
|
|
38
38
|
Requires-Dist: carbon-black-cloud-sdk ~=1.4.3 ; extra == 'cb'
|
|
39
|
+
Provides-Extra: dev
|
|
40
|
+
Requires-Dist: dissect.target[full,mqtt,yara] ; extra == 'dev'
|
|
41
|
+
Requires-Dist: dissect.btrfs[dev] <2.0.dev,>=1.0.dev ; extra == 'dev'
|
|
42
|
+
Requires-Dist: dissect.cim[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
43
|
+
Requires-Dist: dissect.clfs[dev] <2.0.dev,>=1.0.dev ; extra == 'dev'
|
|
44
|
+
Requires-Dist: dissect.cstruct <5.0.dev,>=4.0.dev ; extra == 'dev'
|
|
45
|
+
Requires-Dist: dissect.esedb[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
46
|
+
Requires-Dist: dissect.etl[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
47
|
+
Requires-Dist: dissect.eventlog[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
48
|
+
Requires-Dist: dissect.evidence[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
49
|
+
Requires-Dist: dissect.extfs[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
50
|
+
Requires-Dist: dissect.fat[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
51
|
+
Requires-Dist: dissect.ffs[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
52
|
+
Requires-Dist: dissect.hypervisor[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
53
|
+
Requires-Dist: dissect.jffs[dev] <2.0.dev,>=1.0.dev ; extra == 'dev'
|
|
54
|
+
Requires-Dist: dissect.ntfs[dev] <4.0.dev,>=3.4.dev ; extra == 'dev'
|
|
55
|
+
Requires-Dist: dissect.regf[dev] <4.0.dev,>=3.3.dev ; extra == 'dev'
|
|
56
|
+
Requires-Dist: dissect.shellitem[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
57
|
+
Requires-Dist: dissect.sql[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
58
|
+
Requires-Dist: dissect.squashfs[dev] <2.0.dev,>=1.0.dev ; extra == 'dev'
|
|
59
|
+
Requires-Dist: dissect.thumbcache[dev] <2.0.dev,>=1.0.dev ; extra == 'dev'
|
|
60
|
+
Requires-Dist: dissect.util <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
61
|
+
Requires-Dist: dissect.vmfs[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
62
|
+
Requires-Dist: dissect.volume[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
63
|
+
Requires-Dist: dissect.xfs[dev] <4.0.dev,>=3.0.dev ; extra == 'dev'
|
|
39
64
|
Provides-Extra: full
|
|
40
65
|
Requires-Dist: asn1crypto ; extra == 'full'
|
|
41
|
-
Requires-Dist: dissect.btrfs <2
|
|
42
|
-
Requires-Dist: dissect.cim <4
|
|
43
|
-
Requires-Dist: dissect.clfs <2
|
|
44
|
-
Requires-Dist: dissect.esedb <4
|
|
45
|
-
Requires-Dist: dissect.etl <4
|
|
46
|
-
Requires-Dist: dissect.extfs <4
|
|
47
|
-
Requires-Dist: dissect.fat <4
|
|
48
|
-
Requires-Dist: dissect.ffs <4
|
|
49
|
-
Requires-Dist: dissect.jffs <2
|
|
50
|
-
Requires-Dist: dissect.shellitem <4
|
|
51
|
-
Requires-Dist: dissect.squashfs <2
|
|
52
|
-
Requires-Dist: dissect.sql <4
|
|
53
|
-
Requires-Dist: dissect.thumbcache <2
|
|
54
|
-
Requires-Dist: dissect.vmfs <4
|
|
55
|
-
Requires-Dist: dissect.xfs <4
|
|
66
|
+
Requires-Dist: dissect.btrfs <2,>=1 ; extra == 'full'
|
|
67
|
+
Requires-Dist: dissect.cim <4,>=3 ; extra == 'full'
|
|
68
|
+
Requires-Dist: dissect.clfs <2,>=1 ; extra == 'full'
|
|
69
|
+
Requires-Dist: dissect.esedb <4,>=3 ; extra == 'full'
|
|
70
|
+
Requires-Dist: dissect.etl <4,>=3 ; extra == 'full'
|
|
71
|
+
Requires-Dist: dissect.extfs <4,>=3 ; extra == 'full'
|
|
72
|
+
Requires-Dist: dissect.fat <4,>=3 ; extra == 'full'
|
|
73
|
+
Requires-Dist: dissect.ffs <4,>=3 ; extra == 'full'
|
|
74
|
+
Requires-Dist: dissect.jffs <2,>=1 ; extra == 'full'
|
|
75
|
+
Requires-Dist: dissect.shellitem <4,>=3 ; extra == 'full'
|
|
76
|
+
Requires-Dist: dissect.squashfs <2,>=1 ; extra == 'full'
|
|
77
|
+
Requires-Dist: dissect.sql <4,>=3 ; extra == 'full'
|
|
78
|
+
Requires-Dist: dissect.thumbcache <2,>=1 ; extra == 'full'
|
|
79
|
+
Requires-Dist: dissect.vmfs <4,>=3 ; extra == 'full'
|
|
80
|
+
Requires-Dist: dissect.xfs <4,>=3 ; extra == 'full'
|
|
56
81
|
Requires-Dist: ipython ; extra == 'full'
|
|
57
82
|
Requires-Dist: fusepy ; extra == 'full'
|
|
58
83
|
Requires-Dist: pycryptodome ; extra == 'full'
|
|
@@ -60,12 +60,12 @@ dissect/target/helpers/mount.py,sha256=JxhUYyEbDnHfzPpfuWy4nV9OwCJPoDSGdHHNiyvd_
|
|
|
60
60
|
dissect/target/helpers/mui.py,sha256=i-7XoHbu4WO2fYapK9yGAMW04rFlgRispknc1KQIS5Q,22258
|
|
61
61
|
dissect/target/helpers/network_managers.py,sha256=uRh_P8ICbKke2N7eFJ6AS2-I5DmIRiaQUlxR7oqxPaU,24975
|
|
62
62
|
dissect/target/helpers/polypath.py,sha256=h8p7m_OCNiQljGwoZh5Aflr9H2ot6CZr6WKq1OSw58o,2175
|
|
63
|
-
dissect/target/helpers/protobuf.py,sha256=
|
|
63
|
+
dissect/target/helpers/protobuf.py,sha256=b4DsnqrRLrefcDjx7rQno-_LBcwtJXxuKf5RdOegzfE,1537
|
|
64
64
|
dissect/target/helpers/record.py,sha256=lWl7k2Mp9Axllm0tXzPGJx2zj2zONsyY_p5g424T0Lc,4826
|
|
65
65
|
dissect/target/helpers/record_modifier.py,sha256=3I_rC5jqvl0TsW3V8OQ6Dltz_D8J4PU1uhhzbJGKm9c,3245
|
|
66
66
|
dissect/target/helpers/regutil.py,sha256=kX-sSZbW8Qkg29Dn_9zYbaQrwLumrr4Y8zJ1EhHXIAM,27337
|
|
67
67
|
dissect/target/helpers/shell_folder_ids.py,sha256=Behhb8oh0kMxrEk6YYKYigCDZe8Hw5QS6iK_d2hTs2Y,24978
|
|
68
|
-
dissect/target/helpers/ssh.py,sha256=
|
|
68
|
+
dissect/target/helpers/ssh.py,sha256=obB7sqUH0IoUo78NAmHM8TX0pgA_4GHICZ3TA3TW_0E,6324
|
|
69
69
|
dissect/target/helpers/targetd.py,sha256=ELhUulzQ4OgXgHsWhsLgM14vut8Wm6btr7qTynlwKaE,1812
|
|
70
70
|
dissect/target/helpers/utils.py,sha256=r36Bn0UL0E6Z8ajmQrHzC6RyUxTRdwJ1PNsd904Lmzs,4027
|
|
71
71
|
dissect/target/helpers/compat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
@@ -117,7 +117,7 @@ dissect/target/plugins/apps/av/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5
|
|
|
117
117
|
dissect/target/plugins/apps/av/mcafee.py,sha256=YWrsB5kQFtXfhqi6mdMPMVk2qh_KCiOBiaTnbj8mVrM,5440
|
|
118
118
|
dissect/target/plugins/apps/av/sophos.py,sha256=TuO-ggdD5De0UTouzNF7-1iLULIOvr6FDktocnM0aF0,4164
|
|
119
119
|
dissect/target/plugins/apps/av/symantec.py,sha256=I1_zZ2ihKptB2JJ7sYZ7df0AgtK3KhWPsbDkc2m_hPA,14171
|
|
120
|
-
dissect/target/plugins/apps/av/trendmicro.py,sha256=
|
|
120
|
+
dissect/target/plugins/apps/av/trendmicro.py,sha256=8F4IWYCXG7HEniGridQ4ax82Mrx_20wV_999-8c9ttQ,4666
|
|
121
121
|
dissect/target/plugins/apps/browser/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
122
122
|
dissect/target/plugins/apps/browser/brave.py,sha256=EW1ubL10swHeV9CscfpE-SrNZozul_Ewj48LNRaG5Kg,2865
|
|
123
123
|
dissect/target/plugins/apps/browser/browser.py,sha256=rBIwcgdl73gm-8APwx2jEUAYXRniXkqcdMr2UYj_tS8,4118
|
|
@@ -127,7 +127,7 @@ dissect/target/plugins/apps/browser/edge.py,sha256=woXzZtHPWmfcV8vbxGKHELKru5JRb
|
|
|
127
127
|
dissect/target/plugins/apps/browser/firefox.py,sha256=ROrzhI2SV81E63hi5PRtyJveRrBacWNJ9FWZS_ondlk,30929
|
|
128
128
|
dissect/target/plugins/apps/browser/iexplore.py,sha256=g_xw0toaiyjevxO8g9XPCOqc-CXZp39FVquRhPFGdTE,8801
|
|
129
129
|
dissect/target/plugins/apps/container/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
130
|
-
dissect/target/plugins/apps/container/docker.py,sha256=
|
|
130
|
+
dissect/target/plugins/apps/container/docker.py,sha256=KxQRbKGgxkf3YFBMa7fjeJ7qo8qjFys7zEmfQhDTnLw,15305
|
|
131
131
|
dissect/target/plugins/apps/remoteaccess/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
132
132
|
dissect/target/plugins/apps/remoteaccess/anydesk.py,sha256=lHtgINWXfVpPuCTRyQmT2ZO-1vkoqiXZ7coj8cZ8p4c,3185
|
|
133
133
|
dissect/target/plugins/apps/remoteaccess/remoteaccess.py,sha256=UQDmDC4Y-KxYl_8kaAh6SG_BLJZ6SeGnxG0gyD8tzaE,833
|
|
@@ -240,38 +240,38 @@ dissect/target/plugins/os/unix/linux/suse/__init__.py,sha256=47DEQpj8HBSa-_TImW-
|
|
|
240
240
|
dissect/target/plugins/os/unix/linux/suse/_os.py,sha256=eaqgnkbunBJ2Hf_GE96THjfT3ybVIZvtWId-dx3JMV4,575
|
|
241
241
|
dissect/target/plugins/os/unix/linux/suse/zypper.py,sha256=amepAWivvbHFt2AoJUHC8lIeuD5Iy8MFXTWKqTYAEqE,4142
|
|
242
242
|
dissect/target/plugins/os/unix/locate/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
243
|
-
dissect/target/plugins/os/unix/locate/gnulocate.py,sha256=
|
|
243
|
+
dissect/target/plugins/os/unix/locate/gnulocate.py,sha256=N5IF8fYsrKrWsJw8ZPC_Y4wiQqdchgOvKtv-E5-vLec,2922
|
|
244
244
|
dissect/target/plugins/os/unix/locate/locate.py,sha256=uXFcWAqoz_3eNWHhsGoEtkkhmT5J3F1GYvr4uQxi308,122
|
|
245
|
-
dissect/target/plugins/os/unix/locate/mlocate.py,sha256=
|
|
246
|
-
dissect/target/plugins/os/unix/locate/plocate.py,sha256=
|
|
245
|
+
dissect/target/plugins/os/unix/locate/mlocate.py,sha256=A8U3cqrA8fq8AV-4pkImjwdwQbWY-TspvRQS9bzZRLo,4477
|
|
246
|
+
dissect/target/plugins/os/unix/locate/plocate.py,sha256=PQ-nmpMex6POKEsyqppButAjVxR071urmGcFU1LUQdA,7219
|
|
247
247
|
dissect/target/plugins/os/unix/log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
248
|
-
dissect/target/plugins/os/unix/log/atop.py,sha256=
|
|
248
|
+
dissect/target/plugins/os/unix/log/atop.py,sha256=ljvGipVG16qTECnV1kIORykcGH9tTlpDmcMo5CXSPns,16332
|
|
249
249
|
dissect/target/plugins/os/unix/log/audit.py,sha256=OjorWTmCFvCI5RJq6m6WNW0Lhb-poB2VAggKOGZUHK4,3722
|
|
250
250
|
dissect/target/plugins/os/unix/log/auth.py,sha256=l7gCuRdvv9gL0U1N0yrR9hVsMnr4t_k4t-n-f6PrOxg,2388
|
|
251
|
-
dissect/target/plugins/os/unix/log/journal.py,sha256=
|
|
252
|
-
dissect/target/plugins/os/unix/log/lastlog.py,sha256=
|
|
251
|
+
dissect/target/plugins/os/unix/log/journal.py,sha256=auVRfrW4NRU7HguoDLTz4l_IwNdPZLPAqD7jhrOTzH8,17404
|
|
252
|
+
dissect/target/plugins/os/unix/log/lastlog.py,sha256=Wq89wRSFZSBsoKVCxjDofnC4yw9XJ4iOF0XJe9EucCo,2448
|
|
253
253
|
dissect/target/plugins/os/unix/log/messages.py,sha256=CXA-SkMPLaCgnTQg9nzII-7tO8Il_ENQmuYvDxo33rI,4698
|
|
254
|
-
dissect/target/plugins/os/unix/log/utmp.py,sha256=
|
|
254
|
+
dissect/target/plugins/os/unix/log/utmp.py,sha256=1nPHIaBUHt_9z6PDrvyqg4huKLihUaWLrMmgMsbaeIo,7755
|
|
255
255
|
dissect/target/plugins/os/windows/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
256
256
|
dissect/target/plugins/os/windows/_os.py,sha256=g5XGtruvyWx4YAhMpGZnAaIFWQqLNQpee_Ot7ROmD8w,12606
|
|
257
257
|
dissect/target/plugins/os/windows/activitiescache.py,sha256=Q2aILnhJ2rp2AwEbWwyBuSLjMbGqaYJTsavSbfkcFKE,6741
|
|
258
|
-
dissect/target/plugins/os/windows/adpolicy.py,sha256=
|
|
258
|
+
dissect/target/plugins/os/windows/adpolicy.py,sha256=fULRFO_I_QxAn6G9SCwlLL-TLVliS13JEGnGotf7lSA,6983
|
|
259
259
|
dissect/target/plugins/os/windows/amcache.py,sha256=ZZNOs3bILTf0AGkDkhoatndl0j39DXkstN7oOyxJECU,27188
|
|
260
260
|
dissect/target/plugins/os/windows/catroot.py,sha256=wHW_p4M0aFonZJ2xZFIbgLbJopdCIXO9jVrGPHLsMLc,11105
|
|
261
261
|
dissect/target/plugins/os/windows/cim.py,sha256=jsrpu6TZpBUh7VWI9AV2Ib5bebTwsvqOwRfa5gjJd7c,3056
|
|
262
262
|
dissect/target/plugins/os/windows/clfs.py,sha256=begVsZ-CY97Ksh6S1g03LjyBgu8ERY2hfNDWYPj0GXI,4872
|
|
263
|
-
dissect/target/plugins/os/windows/credhist.py,sha256=
|
|
264
|
-
dissect/target/plugins/os/windows/datetime.py,sha256=
|
|
265
|
-
dissect/target/plugins/os/windows/defender.py,sha256=
|
|
263
|
+
dissect/target/plugins/os/windows/credhist.py,sha256=YSjuyd53Augdy_lKKzZHtx5Ozt0HzF6LDYIOb-8P1Pw,7058
|
|
264
|
+
dissect/target/plugins/os/windows/datetime.py,sha256=YKHUZU6lkKJocq15y0yCwvIIOb1Ej-kfvEBmHbrdIGw,9467
|
|
265
|
+
dissect/target/plugins/os/windows/defender.py,sha256=lHHhyi8YqNTmBu3qbH7yskMAYcarYouPxKtBQLtXnnE,23713
|
|
266
266
|
dissect/target/plugins/os/windows/env.py,sha256=-u9F9xWy6PUbQmu5Tv_MDoVmy6YB-7CbHokIK_T3S44,13891
|
|
267
267
|
dissect/target/plugins/os/windows/generic.py,sha256=BSvDPfB9faU0uquMj0guw5tnR_97Nn0XAEE4k05BFSQ,22273
|
|
268
268
|
dissect/target/plugins/os/windows/lnk.py,sha256=On1k0PODYggQM1j514qFepBACCV2Z2u61Q4Ba6e3Y2c,8179
|
|
269
269
|
dissect/target/plugins/os/windows/locale.py,sha256=yXVdclpUqss9h8Nq7N4kg3OHwWGDfjdfiLiUZR3wqv8,2324
|
|
270
|
-
dissect/target/plugins/os/windows/notifications.py,sha256=
|
|
271
|
-
dissect/target/plugins/os/windows/prefetch.py,sha256=
|
|
272
|
-
dissect/target/plugins/os/windows/recyclebin.py,sha256=
|
|
270
|
+
dissect/target/plugins/os/windows/notifications.py,sha256=T1CIvQgpW__qDR0Rq5zpeWmRWwjNDpvdMnvJJ_6tZXs,17378
|
|
271
|
+
dissect/target/plugins/os/windows/prefetch.py,sha256=v4OgSKMwcihz0SOuA0o0Ec8wsAKuiuEmJolqZmHFgJA,10491
|
|
272
|
+
dissect/target/plugins/os/windows/recyclebin.py,sha256=zx58hDCvcrD_eJl9nJmr_i80krSN03ya8nQzWFr2Tw0,4917
|
|
273
273
|
dissect/target/plugins/os/windows/registry.py,sha256=EfqUkgbzaqTuq1kIPYNG1TfvJxhJE5X-TEjV3K_xsPU,12814
|
|
274
|
-
dissect/target/plugins/os/windows/sam.py,sha256=
|
|
274
|
+
dissect/target/plugins/os/windows/sam.py,sha256=NwKzfP_ae8SXgCoj_apa-29ZeFxeQsGidJ6llF1khP8,15468
|
|
275
275
|
dissect/target/plugins/os/windows/services.py,sha256=MoVPJ1GKpPaJrGd2DYtuHEmKqC2uOKRc5SZKB12goSs,6068
|
|
276
276
|
dissect/target/plugins/os/windows/sru.py,sha256=sOM7CyMkW8XIXzI75GL69WoqUrSK2X99TFIfdQR2D64,17767
|
|
277
277
|
dissect/target/plugins/os/windows/startupinfo.py,sha256=kl8Y7M4nVfmJ71I33VCegtbHj-ZOeEsYAdlNbgwtUOA,3406
|
|
@@ -281,10 +281,10 @@ dissect/target/plugins/os/windows/thumbcache.py,sha256=23YjOjTNoE7BYITmg8s9Zs8Wi
|
|
|
281
281
|
dissect/target/plugins/os/windows/ual.py,sha256=TYF-R46klEa_HHb86UJd6mPrXwHlAMOUTzC0pZ8uiq0,9787
|
|
282
282
|
dissect/target/plugins/os/windows/wer.py,sha256=ogecvKYxAvDXLptQj4cn0JLn1FxaXjeSuJWs4JgkoZs,8656
|
|
283
283
|
dissect/target/plugins/os/windows/dpapi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
284
|
-
dissect/target/plugins/os/windows/dpapi/blob.py,sha256=
|
|
284
|
+
dissect/target/plugins/os/windows/dpapi/blob.py,sha256=j3MMROXroes7pr_VLt8Xv6WEpv19hlgDpOxOJyZMRvo,5044
|
|
285
285
|
dissect/target/plugins/os/windows/dpapi/crypto.py,sha256=_F1F2j1chQw-KLqfWvgL2mCkF3HSvdVnM78OZ0ph9hc,9337
|
|
286
286
|
dissect/target/plugins/os/windows/dpapi/dpapi.py,sha256=NrLtx61m8PXsB3CzxUQgc1BKkaAVBOre1oEfGvqgtuw,7130
|
|
287
|
-
dissect/target/plugins/os/windows/dpapi/master_key.py,sha256=
|
|
287
|
+
dissect/target/plugins/os/windows/dpapi/master_key.py,sha256=oUuUfvMXmhRrgIs1CXTR6CdETKNYZwoStXSqtDdil78,6111
|
|
288
288
|
dissect/target/plugins/os/windows/exchange/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
289
289
|
dissect/target/plugins/os/windows/exchange/exchange.py,sha256=ofoapuDQXefIX4sTzwNboyk5RztN2JEyw1OWl5cx-wo,1564
|
|
290
290
|
dissect/target/plugins/os/windows/log/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
@@ -297,24 +297,24 @@ dissect/target/plugins/os/windows/log/schedlgu.py,sha256=JaP8H8eTEypWXhx2aFSR_IM
|
|
|
297
297
|
dissect/target/plugins/os/windows/regf/7zip.py,sha256=Vc336zhS6R8W98GGlLtPJ_OR0vEP014QnBtYwbx_HUo,3217
|
|
298
298
|
dissect/target/plugins/os/windows/regf/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
299
299
|
dissect/target/plugins/os/windows/regf/appxdebugkeys.py,sha256=X8MYLcD76pIZoIWwS_DgUp6q6pi2WO7jhZeoc4uGLak,3966
|
|
300
|
-
dissect/target/plugins/os/windows/regf/auditpol.py,sha256=
|
|
301
|
-
dissect/target/plugins/os/windows/regf/bam.py,sha256=
|
|
302
|
-
dissect/target/plugins/os/windows/regf/cit.py,sha256=
|
|
300
|
+
dissect/target/plugins/os/windows/regf/auditpol.py,sha256=qAVYurAECRbTzopOgempCK2dOpeJ-a-pGNhHYJEtbP4,5149
|
|
301
|
+
dissect/target/plugins/os/windows/regf/bam.py,sha256=zS2vheHp4HEfrAhcIR06GoTq8Ofwhe3zd8uMPj7Y61Q,2076
|
|
302
|
+
dissect/target/plugins/os/windows/regf/cit.py,sha256=d8euaR9gyCZIQG8PwHEQR4_wB8l0ZUUUYYCQbHHfLzA,38238
|
|
303
303
|
dissect/target/plugins/os/windows/regf/clsid.py,sha256=M121yHQgRDSGtXeShiB-RUuk_toHOFHLYwbHAP9SS8U,3632
|
|
304
304
|
dissect/target/plugins/os/windows/regf/firewall.py,sha256=-RUFjY4D-ua72vyvOTJyg-MpUbk9Syfo4TfgA7bV7Us,3172
|
|
305
305
|
dissect/target/plugins/os/windows/regf/mru.py,sha256=HYg4UnbsjvzZKS9qcqxkocUeIGQieMLXPjkjgZ1qbTY,13560
|
|
306
306
|
dissect/target/plugins/os/windows/regf/muicache.py,sha256=-1IYfNpFjjk4WYyFUBJGLl7ahEGeUKqlaI1QwPNnfjA,3738
|
|
307
307
|
dissect/target/plugins/os/windows/regf/nethist.py,sha256=QHbG9fmZNmjSVhrgqMvMo12YBaQedzeToS7ZD9eIJ28,3111
|
|
308
|
-
dissect/target/plugins/os/windows/regf/recentfilecache.py,sha256=
|
|
308
|
+
dissect/target/plugins/os/windows/regf/recentfilecache.py,sha256=goS6ajLIh6ZU-Gq4tupoxBoQCfMDp2qJgg-Nn5qFIsY,1850
|
|
309
309
|
dissect/target/plugins/os/windows/regf/regf.py,sha256=D1GrljF-sV8cWIjWJ3zH7k52i1OWD8poEC_PIeZMEis,3419
|
|
310
310
|
dissect/target/plugins/os/windows/regf/runkeys.py,sha256=-2HcdnVytzCt1xwgAI8rHDnwk8kwLPWURumvhrGnIHU,4278
|
|
311
|
-
dissect/target/plugins/os/windows/regf/shellbags.py,sha256=
|
|
312
|
-
dissect/target/plugins/os/windows/regf/shimcache.py,sha256=
|
|
311
|
+
dissect/target/plugins/os/windows/regf/shellbags.py,sha256=t6874fvnZoQ05H0-G95-a8RpmCWjz0dli6hHGu5jBEQ,25615
|
|
312
|
+
dissect/target/plugins/os/windows/regf/shimcache.py,sha256=no78i0nxbnfgDJ5TpDZNAJggCigD_zLrXNYss7gdg2Q,9994
|
|
313
313
|
dissect/target/plugins/os/windows/regf/trusteddocs.py,sha256=3yvpBDM-Asg0rvGN2TwALGRm9DYogG6TxRau9D6FBbw,3700
|
|
314
314
|
dissect/target/plugins/os/windows/regf/usb.py,sha256=hR5fnqy_sint1YyWgm1-AMhGQ4MxJOH_Wz0vbYzr9p4,7213
|
|
315
|
-
dissect/target/plugins/os/windows/regf/userassist.py,sha256=
|
|
315
|
+
dissect/target/plugins/os/windows/regf/userassist.py,sha256=bSioEQdqUxdGwkdgMUfDIY2_pzrl9PdxPjmzmMaIwHs,5490
|
|
316
316
|
dissect/target/plugins/os/windows/task_helpers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
317
|
-
dissect/target/plugins/os/windows/task_helpers/tasks_job.py,sha256
|
|
317
|
+
dissect/target/plugins/os/windows/task_helpers/tasks_job.py,sha256=7w3UGOiTAUQkP3xQ3sj4X3MTgHUJmmfdgiEadWmYquI,21197
|
|
318
318
|
dissect/target/plugins/os/windows/task_helpers/tasks_records.py,sha256=vpCyKqLQSzI5ymD1h5P6RncLEE47YtmjDFwKA16dVZ4,4046
|
|
319
319
|
dissect/target/plugins/os/windows/task_helpers/tasks_xml.py,sha256=oOsYse2-BrliVQRXlHD1-89hsmNrJqg42DJy681AW0U,15268
|
|
320
320
|
dissect/target/tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
@@ -340,10 +340,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
|
|
|
340
340
|
dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
|
|
341
341
|
dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
|
|
342
342
|
dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
|
|
343
|
-
dissect.target-3.18.
|
|
344
|
-
dissect.target-3.18.
|
|
345
|
-
dissect.target-3.18.
|
|
346
|
-
dissect.target-3.18.
|
|
347
|
-
dissect.target-3.18.
|
|
348
|
-
dissect.target-3.18.
|
|
349
|
-
dissect.target-3.18.
|
|
343
|
+
dissect.target-3.18.dev7.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
|
|
344
|
+
dissect.target-3.18.dev7.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
|
|
345
|
+
dissect.target-3.18.dev7.dist-info/METADATA,sha256=QdjX1XeAbDN3B7UZr8WzmJzjVQzvv8GSxqOH-5LgBgg,12722
|
|
346
|
+
dissect.target-3.18.dev7.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
|
|
347
|
+
dissect.target-3.18.dev7.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
|
|
348
|
+
dissect.target-3.18.dev7.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
|
|
349
|
+
dissect.target-3.18.dev7.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|