dissect.target 3.19.dev18__py3-none-any.whl → 3.19.dev19__py3-none-any.whl

dissect/target/loader.py

@@ -195,6 +195,7 @@ register("vma", "VmaLoader")
 register("kape", "KapeLoader")
 register("tanium", "TaniumLoader")
 register("itunes", "ITunesLoader")
+register("ab", "AndroidBackupLoader")
 register("target", "TargetLoader")
 register("log", "LogLoader")
 # Disabling ResLoader because of DIS-536

dissect/target/loaders/ab.py

@@ -0,0 +1,285 @@
+import hashlib
+import io
+import posixpath
+import shutil
+import struct
+from pathlib import Path
+from typing import BinaryIO
+
+try:
+    from Crypto.Cipher import AES
+
+    HAS_PYCRYPTODOME = True
+except ImportError:
+    HAS_PYCRYPTODOME = False
+
+from dissect.util.stream import AlignedStream, RelativeStream, ZlibStream
+
+from dissect.target.exceptions import LoaderError
+from dissect.target.filesystem import VirtualFilesystem
+from dissect.target.filesystems.tar import TarFilesystem
+from dissect.target.helpers import keychain
+from dissect.target.loader import Loader
+from dissect.target.plugins.os.unix.linux.android._os import AndroidPlugin
+from dissect.target.target import Target
+
+DIRECTORY_MAPPING = {
+    "a": "/data/app/{id}",
+    "f": "/data/data/{id}/files",
+    "db": "/data/data/{id}/databases",
+    "ef": "/storage/emulated/0/Android/data/{id}",
+    "sp": "/data/data/{id}/shared_preferences",
+    "r": "/data/data/{id}",
+    "obb": "/storage/emulated/0/Android/obb/{id}",
+}
+
+
+class AndroidBackupLoader(Loader):
+    """Load Android backup files.
+
+    References:
+        - http://fileformats.archiveteam.org/wiki/Android_ADB_Backup
+    """
+
+    def __init__(self, path: Path, **kwargs):
+        super().__init__(path)
+        self.ab = AndroidBackup(path.open("rb"))
+
+        if self.ab.encrypted:
+            for key in keychain.get_keys_for_provider("ab") + keychain.get_keys_without_provider():
+                if key.key_type == keychain.KeyType.PASSPHRASE:
+                    try:
+                        self.ab.unlock(key.value)
+                        break
+                    except ValueError:
+                        continue
+            else:
+                raise LoaderError(f"Missing password for encrypted Android Backup: {self.path}")
+
+    @staticmethod
+    def detect(path: Path) -> bool:
+        if path.suffix.lower() == ".ab":
+            return True
+
+        if path.is_file():
+            # The file extension can be chosen freely so let's also test for the file magic
+            with path.open("rb") as fh:
+                if fh.read(15) == b"ANDROID BACKUP\n":
+                    return True
+
+        return False
+
+    def map(self, target: Target) -> None:
+        if self.ab.compressed or self.ab.encrypted:
+            if self.ab.compressed and not self.ab.encrypted:
+                word = "compressed"
+            elif self.ab.encrypted and not self.ab.compressed:
+                word = "encrypted"
+            else:
+                word = "compressed and encrypted"
+
+            target.log.warning(
+                f"Backup file is {word}, consider unwrapping with "
+                "`python -m dissect.target.loaders.ab <path/to/backup.ab>`"
+            )
+
+        vfs = VirtualFilesystem(case_sensitive=False)
+
+        fs = TarFilesystem(self.ab.open())
+        for app in fs.path("/apps").iterdir():
+            for subdir in app.iterdir():
+                if subdir.name not in DIRECTORY_MAPPING:
+                    continue
+
+                path = DIRECTORY_MAPPING[subdir.name].format(id=app.name)
+
+                # TODO: Remove once we move towards "directory entries"
+                entry = subdir.get()
+                entry.name = posixpath.basename(path)
+
+                vfs.map_file_entry(path, entry)
+
+        target.filesystems.add(vfs)
+        target._os_plugin = AndroidPlugin.create(target, vfs)
+
+
+class AndroidBackup:
+    def __init__(self, fh: BinaryIO):
+        self.fh = fh
+
+        size = fh.seek(0, io.SEEK_END)
+        fh.seek(0)
+
+        # Don't readline() straight away as we may be reading something other than a backup file
+        magic = fh.read(15)
+        if magic != b"ANDROID BACKUP\n":
+            raise ValueError("Not a valid Android Backup file")
+
+        self.version = int(fh.read(2)[:1])
+        self.compressed = bool(int(fh.read(2)[:1]))
+
+        self.encrypted = False
+        self.unlocked = True
+        self.encryption = fh.readline().strip().decode()
+
+        if self.encryption != "none":
+            self.encrypted = True
+            self.unlocked = False
+            self._user_salt = bytes.fromhex(fh.readline().strip().decode())
+            self._ck_salt = bytes.fromhex(fh.readline().strip().decode())
+            self._rounds = int(fh.readline().strip())
+            self._user_iv = bytes.fromhex(fh.readline().strip().decode())
+            self._master_key = bytes.fromhex(fh.readline().strip().decode())
+
+            self._mk = None
+            self._iv = None
+
+        self._data_offset = fh.tell()
+        self.size = size - self._data_offset
+
+    def unlock(self, password: str) -> None:
+        if not self.encrypted:
+            raise ValueError("Android Backup is not encrypted")
+
+        self._mk, self._iv = self._decrypt_mk(password)
+        self.unlocked = True
+
+    def _decrypt_mk(self, password: str) -> tuple[bytes, bytes]:
+        user_key = hashlib.pbkdf2_hmac("sha1", password.encode(), self._user_salt, self._rounds, 32)
+
+        blob = AES.new(user_key, AES.MODE_CBC, iv=self._user_iv).decrypt(self._master_key)
+        blob = blob[: -blob[-1]]
+
+        offset = 0
+        iv_len = blob[offset]
+        offset += 1
+        iv = blob[offset : offset + iv_len]
+
+        offset += iv_len
+        mk_len = blob[offset]
+        offset += 1
+        mk = blob[offset : offset + mk_len]
+
+        offset += mk_len
+        checksum_len = blob[offset]
+        offset += 1
+        checksum = blob[offset : offset + checksum_len]
+
+        ck_mk = _encode_bytes(mk) if self.version >= 2 else mk
+        our_checksum = hashlib.pbkdf2_hmac("sha1", ck_mk, self._ck_salt, self._rounds, 32)
+        if our_checksum != checksum:
+            # Try reverse encoding for good measure
+            ck_mk = mk if self.version >= 2 else _encode_bytes(mk)
+            our_checksum = hashlib.pbkdf2_hmac("sha1", ck_mk, self._ck_salt, self._rounds, 32)
+
+        if our_checksum != checksum:
+            raise ValueError("Invalid password: master key checksum does not match")
+
+        return mk, iv
+
+    def open(self) -> BinaryIO:
+        fh = RelativeStream(self.fh, self._data_offset)
+
+        if self.encrypted:
+            if not self.unlocked:
+                raise ValueError("Missing password for encrypted Android Backup")
+            fh = CipherStream(fh, self._mk, self._iv, self.size)
+
+        if self.compressed:
+            fh = ZlibStream(fh)
+
+        return fh
+
+
+class CipherStream(AlignedStream):
+    """Transparently AES-CBC decrypted stream."""
+
+    def __init__(self, fh: BinaryIO, key: bytes, iv: bytes, size: int):
+        self._fh = fh
+
+        self._key = key
+        self._iv = iv
+        self._cipher = None
+        self._cipher_offset = 0
+        self._reset_cipher()
+
+        super().__init__(size)
+
+    def _reset_cipher(self) -> None:
+        self._cipher = AES.new(self._key, AES.MODE_CBC, iv=self._iv)
+        self._cipher_offset = 0
+
+    def _seek_cipher(self, offset: int) -> None:
+        """CBC is dependent on previous blocks so to seek the cipher, decrypt and discard to the wanted offset."""
+        if offset < self._cipher_offset:
+            self._reset_cipher()
+            self._fh.seek(0)
+
+        while self._cipher_offset < offset:
+            read_size = min(offset - self._cipher_offset, self.align)
+            self._cipher.decrypt(self._fh.read(read_size))
+            self._cipher_offset += read_size
+
+    def _read(self, offset: int, length: int) -> bytes:
+        self._seek_cipher(offset)
+
+        data = self._cipher.decrypt(self._fh.read(length))
+        if offset + length >= self.size:
+            # Remove padding
+            data = data[: -data[-1]]
+
+        self._cipher_offset += len(data)
+
+        return data
+
+
+def _encode_bytes(buf: bytes) -> bytes:
+    # Emulate byte[] -> char[] -> utf8 byte[] casting
+    return struct.pack(">32h", *struct.unpack(">32b", buf)).decode("utf-16-be").encode("utf-8")
+
+
+def main() -> None:
+    import argparse
+
+    parser = argparse.ArgumentParser(description="Android Backup file unwrapper")
+    parser.add_argument("path", type=Path, help="source path")
+    parser.add_argument("-p", "--password", help="encryption password")
+    parser.add_argument("-t", "--tar", action="store_true", help="write a tar file instead of a plain Android Backup")
+    parser.add_argument("-o", "--output", type=Path, help="output path")
+    args = parser.parse_args()
+
+    if not args.path.is_file():
+        parser.exit("source path does not exist or is not a file")
+
+    ext = ".tar" if args.tar else ".plain.ab"
+    if args.output is None:
+        output = args.path.with_suffix(ext)
+    elif args.output.is_dir():
+        output = args.output.joinpath(args.path.name).with_suffix(ext)
+    else:
+        output = args.output
+
+    if output.exists():
+        parser.exit(f"output path already exists: {output}")
+
+    print(f"unwrapping {args.path} -> {output}")
+    with args.path.open("rb") as fh:
+        ab = AndroidBackup(fh)
+
+        if ab.encrypted:
+            if not args.password:
+                parser.exit("missing password for encrypted Android Backup")
+            ab.unlock(args.password)
+
+        with ab.open() as fhab, output.open("wb") as fhout:
+            if not args.tar:
+                fhout.write(b"ANDROID BACKUP\n")  # header
+                fhout.write(b"5\n")  # version
+                fhout.write(b"0\n")  # compressed
+                fhout.write(b"none\n")  # encryption
+
+            shutil.copyfileobj(fhab, fhout, 1024 * 1024 * 64)
+
+
+if __name__ == "__main__":
+    main()

dissect/target/plugins/os/unix/linux/android/_os.py

@@ -1,33 +1,23 @@
 from __future__ import annotations
 
-from typing import Iterator, Optional, TextIO
+from typing import Iterator, Optional
 
 from dissect.target.filesystem import Filesystem
-from dissect.target.helpers.record import UnixUserRecord
+from dissect.target.helpers import configutil
+from dissect.target.helpers.record import EmptyRecord
 from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.os.unix.linux._os import LinuxPlugin
 from dissect.target.target import Target
 
 
-class BuildProp:
-    def __init__(self, fh: TextIO):
-        self.props = {}
-
-        for line in fh:
-            line = line.strip()
-
-            if not line or line.startswith("#"):
-                continue
-
-            k, v = line.split("=")
-            self.props[k] = v
-
-
 class AndroidPlugin(LinuxPlugin):
     def __init__(self, target: Target):
         super().__init__(target)
         self.target = target
-        self.props = BuildProp(self.target.fs.path("/build.prop").open("rt"))
+
+        self.props = {}
+        if (build_prop := self.target.fs.path("/build.prop")).exists():
+            self.props = configutil.parse(build_prop, separator=("=",), comment_prefixes=("#",)).parsed_data
 
     @classmethod
     def detect(cls, target: Target) -> Optional[Filesystem]:
@@ -42,8 +32,8 @@ class AndroidPlugin(LinuxPlugin):
         return cls(target)
 
     @export(property=True)
-    def hostname(self) -> str:
-        return self.props.props["ro.build.host"]
+    def hostname(self) -> Optional[str]:
+        return self.props.get("ro.build.host")
 
     @export(property=True)
     def ips(self) -> list[str]:
@@ -53,11 +43,11 @@ class AndroidPlugin(LinuxPlugin):
     def version(self) -> str:
         full_version = "Android"
 
-        release_version = self.props.props.get("ro.build.version.release")
-        if release_version := self.props.props.get("ro.build.version.release"):
+        release_version = self.props.get("ro.build.version.release")
+        if release_version := self.props.get("ro.build.version.release"):
             full_version += f" {release_version}"
 
-        if security_patch_version := self.props.props.get("ro.build.version.security_patch"):
+        if security_patch_version := self.props.get("ro.build.version.security_patch"):
             full_version += f" ({security_patch_version})"
 
         return full_version
@@ -66,5 +56,6 @@ class AndroidPlugin(LinuxPlugin):
     def os(self) -> str:
         return OperatingSystem.ANDROID.value
 
-    def users(self) -> Iterator[UnixUserRecord]:
-        raise NotImplementedError()
+    @export(record=EmptyRecord)
+    def users(self) -> Iterator[EmptyRecord]:
+        yield from ()

{dissect.target-3.19.dev18.dist-info → dissect.target-3.19.dev19.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.19.dev18
+Version: 3.19.dev19
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.19.dev18.dist-info → dissect.target-3.19.dev19.dist-info}/RECORD

@@ -2,7 +2,7 @@ dissect/target/__init__.py,sha256=Oc7ounTgq2hE4nR6YcNabetc7SQA40ldSa35VEdZcQU,63
 dissect/target/container.py,sha256=0YcwcGmfJjhPXUB6DEcjWEoSuAtTDxMDpoTviMrLsxM,9353
 dissect/target/exceptions.py,sha256=ULi7NXlqju_d8KENEL3aimmfKTFfbNssfeWhAnOB654,2972
 dissect/target/filesystem.py,sha256=G1gbOUpnQZyovubYGEUKgaDV0eHH5vE83-0gTc5PZAM,59793
-dissect/target/loader.py,sha256=hjKInZAEcv43RiqxZJ0yBI4Y2YZ2-nrsKWu_BKrgba4,7336
+dissect/target/loader.py,sha256=I8WNzDA0SMy42F7zfyBcSKj_VKNv64213WUvtGZ77qE,7374
 dissect/target/plugin.py,sha256=HAN8maaDt-Rlqt8Rr1IW7gXQpzNQZjCVz-i4aSPphSw,48677
 dissect/target/report.py,sha256=06uiP4MbNI8cWMVrC1SasNS-Yg6ptjVjckwj8Yhe0Js,7958
 dissect/target/target.py,sha256=8vg0VdEQuy5Ih5ewlm0b64o3HcJq_Nley4Ygyp2fLI4,32362
@@ -75,6 +75,7 @@ dissect/target/helpers/compat/path_39.py,sha256=FIyZ3sb-XQhJnm02jVdOc6ncjCWa9OVx
 dissect/target/helpers/compat/path_common.py,sha256=X9mAPoP6E5e_1idiZz7-FPRsOwcAjQ5FP70k30s_yMA,7739
 dissect/target/helpers/data/windowsZones.xml,sha256=4OijeR7oxI0ZwPTSwCkmtcofOsUCjSnbZ4dQxVOM_4o,50005
 dissect/target/loaders/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+dissect/target/loaders/ab.py,sha256=iwj1LHe_-VaBmj6d-nKrvim1UvrJ-nzp2LlgCFlOuUk,9484
 dissect/target/loaders/ad1.py,sha256=1_VmPZckDzXVvNF-HNtoUZqabnhCKBLUD3vVaitHQ00,571
 dissect/target/loaders/asdf.py,sha256=dvPPDBrnz2JPXpCbqsu-NgQWIdVGMOit2KAdhIO1iiQ,972
 dissect/target/loaders/cb.py,sha256=EGhdytBKBdofTd89juavDZZbmupEZmMBadeUXvVIK20,6612
@@ -222,7 +223,7 @@ dissect/target/plugins/os/unix/linux/processes.py,sha256=rvDJWAp16WAJZ91A8_GJJIj
 dissect/target/plugins/os/unix/linux/services.py,sha256=-d2y073mOXUM3XCzRgDVCRFR9eTLoVuN8FsZVewHzRg,4075
 dissect/target/plugins/os/unix/linux/sockets.py,sha256=CXstlQt0tLcVSpvi0xOXJu580O6BGUBW3lJQt20aMUw,9920
 dissect/target/plugins/os/unix/linux/android/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/os/unix/linux/android/_os.py,sha256=trmESlpHdwVu7wV18RevEhh_TsVyfKPFCd5Usb5-fSU,2056
+dissect/target/plugins/os/unix/linux/android/_os.py,sha256=-VWLkL3mFAr-ZxwH1qdSPNLvOgbYN92d4HyM2LSty5w,1947
 dissect/target/plugins/os/unix/linux/debian/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/linux/debian/_os.py,sha256=GI19ZqcyfZ1mUYg2NCx93HkZje9MWMU8FYNKQv-G6go,498
 dissect/target/plugins/os/unix/linux/debian/apt.py,sha256=dkTfLrS-MS8wfrXILFLHDoLqBkM_w16KTRQ7ysiZkZY,4316
@@ -344,10 +345,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.19.dev18.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.19.dev18.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.19.dev18.dist-info/METADATA,sha256=5gfwL4PP7a_vTLYBnbyfy1keo11MDR4aYuyMlPMv5Vs,12719
-dissect.target-3.19.dev18.dist-info/WHEEL,sha256=R0nc6qTxuoLk7ShA2_Y-UWkN8ZdfDBG2B6Eqpz2WXbs,91
-dissect.target-3.19.dev18.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.19.dev18.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.19.dev18.dist-info/RECORD,,
+dissect.target-3.19.dev19.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.19.dev19.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.19.dev19.dist-info/METADATA,sha256=1_oiRc_YPQzlraRQsEAAfx7MTXUAjB505xvN06L7us0,12719
+dissect.target-3.19.dev19.dist-info/WHEEL,sha256=R0nc6qTxuoLk7ShA2_Y-UWkN8ZdfDBG2B6Eqpz2WXbs,91
+dissect.target-3.19.dev19.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.19.dev19.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.19.dev19.dist-info/RECORD,,