dissect.target 3.19.dev39__py3-none-any.whl → 3.19.dev41__py3-none-any.whl

dissect/target/filesystems/extfs.py

@@ -134,6 +134,10 @@ class ExtFilesystemEntry(FilesystemEntry):
         st_info.st_mtime_ns = self.entry.mtime_ns
         st_info.st_ctime_ns = self.entry.ctime_ns
 
+        # Set blocks
+        st_info.st_blocks = self.entry.inode.i_blocks_lo
+        st_info.st_blksize = self.entry.extfs.block_size
+
         return st_info
 
     def attr(self) -> Any:

dissect/target/helpers/fsutil.py

@@ -144,6 +144,7 @@ class stat_result:  # noqa
         "st_file_attributes": "Windows file attribute bits",
         "st_fstype": "Type of filesystem",
         "st_reparse_tag": "Windows reparse tag",
+        "st_birthtime_ns": "time of creation in nanoseconds",
         # Internal fields
         "_s": "internal tuple",
     }
@@ -193,6 +194,7 @@ class stat_result:  # noqa
         self.st_file_attributes = s[22]
         self.st_fstype = s[23]
         self.st_reparse_tag = s[24]
+        self.st_birthtime_ns = s[25]
 
         # stat_result behaves like a tuple, but only with the first 10 fields
         # Note that this means it specifically uses the integer variants of the timestamps

dissect/target/loaders/tar.py

@@ -1,8 +1,9 @@
+from __future__ import annotations
+
 import logging
 import re
 import tarfile
 from pathlib import Path
-from typing import Union
 
 from dissect.target import filesystem, target
 from dissect.target.filesystems.tar import (
@@ -21,22 +22,25 @@ ANON_FS_RE = re.compile(r"^fs[0-9]+$")
 class TarLoader(Loader):
     """Load tar files."""
 
-    def __init__(self, path: Union[Path, str], **kwargs):
+    def __init__(self, path: Path | str, **kwargs):
         super().__init__(path)
 
+        if isinstance(path, str):
+            path = Path(path)
+
         if self.is_compressed(path):
             log.warning(
                 f"Tar file {path!r} is compressed, which will affect performance. "
                 "Consider uncompressing the archive before passing the tar file to Dissect."
             )
 
-        self.tar = tarfile.open(path)
+        self.tar = tarfile.open(fileobj=path.open("rb"))
 
     @staticmethod
     def detect(path: Path) -> bool:
         return path.name.lower().endswith((".tar", ".tar.gz", ".tgz"))
 
-    def is_compressed(self, path: Union[Path, str]) -> bool:
+    def is_compressed(self, path: Path | str) -> bool:
         return str(path).lower().endswith((".tar.gz", ".tgz"))
 
     def map(self, target: target.Target) -> None:

dissect/target/loaders/velociraptor.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 import zipfile
 from pathlib import Path
-from typing import TYPE_CHECKING, Optional
+from typing import TYPE_CHECKING
 
 from dissect.target.loaders.dir import DirLoader, find_dirs, map_dirs
 from dissect.target.plugin import OperatingSystem
@@ -18,7 +18,7 @@ UNIX_ACCESSORS = ["file", "auto"]
 WINDOWS_ACCESSORS = ["mft", "ntfs", "lazy_ntfs", "ntfs_vss", "auto"]
 
 
-def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional[list[Path]]]:
+def find_fs_directories(path: Path) -> tuple[OperatingSystem | None, list[Path] | None]:
     fs_root = path.joinpath(FILESYSTEMS_ROOT)
 
     # Unix
@@ -56,7 +56,7 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
     return None, None
 
 
-def extract_drive_letter(name: str) -> Optional[str]:
+def extract_drive_letter(name: str) -> str | None:
     # \\.\X: in URL encoding
     if len(name) == 14 and name.startswith("%5C%5C.%5C") and name.endswith("%3A"):
         return name[10].lower()
@@ -91,7 +91,7 @@ class VelociraptorLoader(DirLoader):
                 f"Velociraptor target {path!r} is compressed, which will slightly affect performance. "
                 "Consider uncompressing the archive and passing the uncompressed folder to Dissect."
             )
-            self.root = zipfile.Path(path)
+            self.root = zipfile.Path(path.open("rb"))
         else:
             self.root = path
 
@@ -105,8 +105,8 @@ class VelociraptorLoader(DirLoader):
         #   results/
         #   uploads.json
         #   [...] other files related to the collection
-        if path.suffix == ".zip":  # novermin
-            path = zipfile.Path(path)
+        if path.exists() and path.suffix == ".zip":  # novermin
+            path = zipfile.Path(path.open("rb"))
 
         if path.joinpath(FILESYSTEMS_ROOT).exists() and path.joinpath("uploads.json").exists():
             _, dirs = find_fs_directories(path)

dissect/target/plugin.py

@@ -2,9 +2,11 @@
 
 See dissect/target/plugins/general/example.py for an example plugin.
 """
+
 from __future__ import annotations
 
 import fnmatch
+import functools
 import importlib
 import importlib.util
 import inspect
@@ -196,6 +198,8 @@ class Plugin:
     The :func:`internal` decorator and :class:`InternalPlugin` set the ``__internal__`` attribute.
     Finally. :func:`args` decorator sets the ``__args__`` attribute.
 
+    The :func:`alias` decorator populates the ``__aliases__`` private attribute of :class:`Plugin` methods.
+
     Args:
         target: The :class:`~dissect.target.target.Target` object to load the plugin for.
     """
@@ -448,6 +452,11 @@ def register(plugincls: Type[Plugin]) -> None:
     exports = []
     functions = []
 
+    # First pass to resolve aliases
+    for attr in get_nonprivate_attributes(plugincls):
+        for alias in getattr(attr, "__aliases__", []):
+            clone_alias(plugincls, attr, alias)
+
     for attr in get_nonprivate_attributes(plugincls):
         if isinstance(attr, property):
             attr = attr.fget
@@ -542,6 +551,47 @@ def arg(*args, **kwargs) -> Callable:
     return decorator
 
 
+def alias(*args, **kwargs: dict[str, Any]) -> Callable:
+    """Decorator to be used on :class:`Plugin` functions to register an alias of that function."""
+
+    if not kwargs.get("name") and not args:
+        raise ValueError("Missing argument 'name'")
+
+    def decorator(obj: Callable) -> Callable:
+        if not hasattr(obj, "__aliases__"):
+            obj.__aliases__ = []
+
+        if name := (kwargs.get("name") or args[0]):
+            obj.__aliases__.append(name)
+
+        return obj
+
+    return decorator
+
+
+def clone_alias(cls: type, attr: Callable, alias: str) -> None:
+    """Clone the given attribute to an alias in the provided class."""
+
+    # Clone the function object
+    clone = type(attr)(attr.__code__, attr.__globals__, alias, attr.__defaults__, attr.__closure__)
+    clone.__kwdefaults__ = attr.__kwdefaults__
+
+    # Copy some attributes
+    functools.update_wrapper(clone, attr)
+    if wrapped := getattr(attr, "__wrapped__", None):
+        # update_wrapper sets a new wrapper, we want the original
+        clone.__wrapped__ = wrapped
+
+    # Update module path so we can fool inspect.getmodule with subclassed Plugin classes
+    clone.__module__ = cls.__module__
+
+    # Update the names
+    clone.__name__ = alias
+    clone.__qualname__ = f"{cls.__name__}.{alias}"
+
+    setattr(cls, alias, clone)
+
+
 def plugins(
     osfilter: Optional[type[OSPlugin]] = None,
     special_keys: set[str] = set(),

dissect/target/plugins/os/unix/history.py

@@ -8,7 +8,7 @@ from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
 from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.record import UnixUserRecord, create_extended_descriptor
-from dissect.target.plugin import Plugin, export, internal
+from dissect.target.plugin import Plugin, alias, export, internal
 
 CommandHistoryRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
     "unix/history",
@@ -36,6 +36,7 @@ class CommandHistoryPlugin(Plugin):
         ("sqlite", ".sqlite_history"),
         ("zsh", ".zsh_history"),
         ("ash", ".ash_history"),
+        ("dissect", ".dissect_history"),  # wow so meta
     )
 
     def __init__(self, target: Target):
@@ -56,12 +57,7 @@ class CommandHistoryPlugin(Plugin):
                     history_files.append((shell, history_path, user_details.user))
         return history_files
 
-    @export(record=CommandHistoryRecord)
-    def bashhistory(self):
-        """Deprecated, use commandhistory function."""
-        self.target.log.warn("Function 'bashhistory' is deprecated, use the 'commandhistory' function instead.")
-        return self.commandhistory()
-
+    @alias("bashhistory")
     @export(record=CommandHistoryRecord)
     def commandhistory(self):
         """Return shell history for all users.

dissect/target/target.py

@@ -87,7 +87,7 @@ class Target:
         self._applied = False
 
         try:
-            self._config = config.load([self.path, os.getcwd()])
+            self._config = config.load([self.path, Path.cwd(), Path.home()])
         except Exception as e:
             self.log.warning("Error loading config file: %s", self.path)
             self.log.debug("", exc_info=e)

dissect/target/tools/fs.py

@@ -2,9 +2,7 @@
 # -*- coding: utf-8 -*-
 
 import argparse
-import datetime
 import logging
-import operator
 import os
 import pathlib
 import shutil
@@ -13,7 +11,7 @@ import sys
 from dissect.target import Target
 from dissect.target.exceptions import TargetError
 from dissect.target.helpers.fsutil import TargetPath
-from dissect.target.tools.shell import stat_modestr
+from dissect.target.tools.fsutils import print_ls, print_stat
 from dissect.target.tools.utils import (
     catch_sigpipe,
     configure_generic_arguments,
@@ -25,11 +23,6 @@ logging.lastResort = None
 logging.raiseExceptions = False
 
 
-def human_size(bytes: int, units: list[str] = ["", "K", "M", "G", "T", "P", "E"]) -> str:
-    """Helper function to return the human readable string representation of bytes."""
-    return str(bytes) + units[0] if bytes < 1024 else human_size(bytes >> 10, units[1:])
-
-
 def ls(t: Target, path: TargetPath, args: argparse.Namespace) -> None:
     if args.use_ctime and args.use_atime:
         log.error("Can't specify -c and -u at the same time")
@@ -37,63 +30,20 @@ def ls(t: Target, path: TargetPath, args: argparse.Namespace) -> None:
     if not path or not path.exists():
         return
 
-    _print_ls(args, path, 0)
-
-
-def _print_ls(args: argparse.Namespace, path: TargetPath, depth: int) -> None:
-    subdirs = []
-
-    if path.is_dir():
-        contents = sorted(path.iterdir(), key=operator.attrgetter("name"))
-    elif path.is_file():
-        contents = [path]
-
-    if depth > 0:
-        print(f"\n{str(path)}:")
-
-    if not args.l:
-        for entry in contents:
-            print(entry.name)
-
-            if entry.is_dir():
-                subdirs.append(entry)
-    else:
-        if len(contents) > 1:
-            print(f"total {len(contents)}")
-
-        for entry in contents:
-            _print_extensive_file_stat(args, entry, entry.name)
-
-            if entry.is_dir():
-                subdirs.append(entry)
-
-    if args.recursive and subdirs:
-        for subdir in subdirs:
-            _print_ls(args, subdir, depth + 1)
-
-
-def _print_extensive_file_stat(args: argparse.Namespace, path: TargetPath, name: str) -> None:
-    try:
-        entry = path.get()
-        stat = entry.lstat()
-        symlink = f" -> {entry.readlink()}" if entry.is_symlink() else ""
-        show_time = stat.st_mtime
-
-        if args.use_ctime:
-            show_time = stat.st_ctime
-        elif args.use_atime:
-            show_time = stat.st_atime
-
-        utc_time = datetime.datetime.utcfromtimestamp(show_time).isoformat()
-
-        if args.human_readable:
-            size = human_size(stat.st_size)
-        else:
-            size = stat.st_size
-
-        print(f"{stat_modestr(stat)} {stat.st_uid:4d} {stat.st_gid:4d} {size:>6s} {utc_time} {name}{symlink}")
-    except FileNotFoundError:
-        print(f"??????????    ?    ?      ? ????-??-??T??:??:??.?????? {name}")
+    # Only output with colors if stdout is a tty
+    use_colors = sys.stdout.buffer.isatty()
+
+    print_ls(
+        path,
+        0,
+        sys.stdout,
+        args.l,
+        args.human_readable,
+        args.recursive,
+        args.use_ctime,
+        args.use_atime,
+        use_colors,
+    )
 
 
 def cat(t: Target, path: TargetPath, args: argparse.Namespace) -> None:
@@ -120,6 +70,12 @@ def cp(t: Target, path: TargetPath, args: argparse.Namespace) -> None:
         print("[!] Failed, unsuported file type: %s" % path)
 
 
+def stat(t: Target, path: TargetPath, args: argparse.Namespace) -> None:
+    if not path or not path.exists():
+        return
+    print_stat(path, sys.stdout, args.dereference)
+
+
 def _extract_path(path: TargetPath, output_path: str) -> None:
     print("%s -> %s" % (path, output_path))
 
@@ -172,6 +128,10 @@ def main() -> None:
     parser_cat = subparsers.add_parser("cat", help="dump file contents", parents=[baseparser])
     parser_cat.set_defaults(handler=cat)
 
+    parser_stat = subparsers.add_parser("stat", help="display file status", parents=[baseparser])
+    parser_stat.add_argument("-L", "--dereference", action="store_true")
+    parser_stat.set_defaults(handler=stat)
+
     parser_find = subparsers.add_parser("walk", help="perform a walk", parents=[baseparser])
     parser_find.set_defaults(handler=walk)
 

dissect/target/tools/fsutils.py

@@ -0,0 +1,243 @@
+from __future__ import annotations
+
+import os
+import stat
+from datetime import datetime, timezone
+from typing import TextIO
+
+from dissect.target.exceptions import FileNotFoundError
+from dissect.target.filesystem import FilesystemEntry, LayerFilesystemEntry
+from dissect.target.helpers import fsutil
+from dissect.target.helpers.fsutil import TargetPath
+
+# ['mode', 'addr', 'dev', 'nlink', 'uid', 'gid', 'size', 'atime', 'mtime', 'ctime']
+STAT_TEMPLATE = """  File: {path} {symlink}
+  Size: {size}       Blocks: {blocks}    IO Block: {blksize}     {filetype}
+Device: {device}     Inode: {inode}      Links: {nlink}
+Access: ({modeord}/{modestr})  Uid: ( {uid} )   Gid: ( {gid} )
+Access: {atime}
+Modify: {mtime}
+Change: {ctime}
+ Birth: {btime}"""
+
+FALLBACK_LS_COLORS = "rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32"  # noqa: E501
+
+
+def prepare_ls_colors() -> dict[str, str]:
+    """Parse the LS_COLORS environment variable so we can use it later."""
+    d = {}
+    ls_colors = os.environ.get("LS_COLORS", FALLBACK_LS_COLORS)
+    for line in ls_colors.split(":"):
+        if not line:
+            continue
+
+        ft, _, value = line.partition("=")
+        if ft.startswith("*"):
+            ft = ft[1:]
+
+        d[ft] = f"\x1b[{value}m{{}}\x1b[0m"
+
+    return d
+
+
+LS_COLORS = prepare_ls_colors()
+
+
+def fmt_ls_colors(ft: str, name: str) -> str:
+    """Helper method to colorize strings according to LS_COLORS."""
+    try:
+        return LS_COLORS[ft].format(name)
+    except KeyError:
+        pass
+
+    try:
+        return LS_COLORS[fsutil.splitext(name)[1]].format(name)
+    except KeyError:
+        pass
+
+    return name
+
+
+def human_size(bytes: int, units: list[str] = ["", "K", "M", "G", "T", "P", "E"]) -> str:
+    """Helper function to return the human readable string representation of bytes."""
+    return str(bytes) + units[0] if bytes < 1024 else human_size(bytes >> 10, units[1:])
+
+
+def stat_modestr(st: fsutil.stat_result) -> str:
+    """Helper method for generating a mode string from a numerical mode value."""
+    return stat.filemode(st.st_mode)
+
+
+def print_extensive_file_stat_listing(
+    stdout: TextIO,
+    name: str,
+    entry: FilesystemEntry | None = None,
+    timestamp: datetime | None = None,
+    human_readable: bool = False,
+) -> None:
+    """Print the file status as a single line."""
+    if entry is not None:
+        try:
+            entry_stat = entry.lstat()
+            if timestamp is None:
+                timestamp = entry_stat.st_mtime
+            symlink = f" -> {entry.readlink()}" if entry.is_symlink() else ""
+            utc_time = datetime.fromtimestamp(timestamp, tz=timezone.utc).isoformat(timespec="microseconds")
+            size = f"{human_size(entry_stat.st_size):5s}" if human_readable else f"{entry_stat.st_size:10d}"
+
+            print(
+                (
+                    f"{stat_modestr(entry_stat)} {entry_stat.st_uid:4d} {entry_stat.st_gid:4d} {size} "
+                    f"{utc_time} {name}{symlink}"
+                ),
+                file=stdout,
+            )
+            return
+        except FileNotFoundError:
+            pass
+
+    hr_spaces = f"{'':5s}" if human_readable else " "
+    regular_spaces = f"{'':10s}" if not human_readable else " "
+
+    print(f"??????????    ?    ?{regular_spaces}?{hr_spaces}????-??-??T??:??:??.??????+??:?? {name}", file=stdout)
+
+
+def ls_scandir(path: fsutil.TargetPath, color: bool = False) -> list[tuple[fsutil.TargetPath, str]]:
+    """List a directory for the given path."""
+    result = []
+    if not path.exists() or not path.is_dir():
+        return []
+
+    for file_ in path.iterdir():
+        file_type = None
+        if color:
+            if file_.is_symlink():
+                file_type = "ln"
+            elif file_.is_dir():
+                file_type = "di"
+            elif file_.is_file():
+                file_type = "fi"
+
+        result.append((file_, fmt_ls_colors(file_type, file_.name) if color else file_.name))
+
+        # If we happen to scan an NTFS filesystem see if any of the
+        # entries has an alternative data stream and also list them.
+        entry = file_.get()
+        if isinstance(entry, LayerFilesystemEntry):
+            if entry.entries.fs.__type__ == "ntfs":
+                attrs = entry.lattr()
+                for data_stream in attrs.DATA:
+                    if data_stream.name != "":
+                        name = f"{file_.name}:{data_stream.name}"
+                        result.append((file_, fmt_ls_colors(file_type, name) if color else name))
+
+    result.sort(key=lambda e: e[0].name)
+
+    return result
+
+
+def print_ls(
+    path: fsutil.TargetPath,
+    depth: int,
+    stdout: TextIO,
+    long_listing: bool = False,
+    human_readable: bool = False,
+    recursive: bool = False,
+    use_ctime: bool = False,
+    use_atime: bool = False,
+    color: bool = True,
+) -> None:
+    """Print ls output"""
+    subdirs = []
+
+    if path.is_dir():
+        contents = ls_scandir(path, color)
+    elif path.is_file():
+        contents = [(path, path.name)]
+
+    if depth > 0:
+        print(f"\n{str(path)}:", file=stdout)
+
+    if not long_listing:
+        for target_path, name in contents:
+            print(name, file=stdout)
+            if target_path.is_dir():
+                subdirs.append(target_path)
+    else:
+        if len(contents) > 1:
+            print(f"total {len(contents)}", file=stdout)
+        for target_path, name in contents:
+            try:
+                entry = target_path.get()
+                entry_stat = entry.lstat()
+                show_time = entry_stat.st_mtime
+                if use_ctime:
+                    show_time = entry_stat.st_ctime
+                elif use_atime:
+                    show_time = entry_stat.st_atime
+            except FileNotFoundError:
+                entry = None
+                show_time = None
+            print_extensive_file_stat_listing(stdout, name, entry, show_time, human_readable)
+            if target_path.is_dir():
+                subdirs.append(target_path)
+
+    if recursive and subdirs:
+        for subdir in subdirs:
+            print_ls(subdir, depth + 1, stdout, long_listing, human_readable, recursive, use_ctime, use_atime, color)
+
+
+def print_stat(path: fsutil.TargetPath, stdout: TextIO, dereference: bool = False) -> None:
+    """Print file status."""
+    symlink = f"-> {path.readlink()}" if path.is_symlink() else ""
+    s = path.stat() if dereference else path.lstat()
+
+    def filetype(path: TargetPath) -> str:
+        if path.is_dir():
+            return "directory"
+        elif path.is_symlink():
+            return "symbolic link"
+        elif path.is_file():
+            return "regular file"
+
+    res = STAT_TEMPLATE.format(
+        path=path,
+        symlink=symlink,
+        size=s.st_size,
+        filetype=filetype(path),
+        device="?",
+        inode=s.st_ino,
+        blocks=s.st_blocks or "?",
+        blksize=s.st_blksize or "?",
+        nlink=s.st_nlink,
+        modeord=oct(stat.S_IMODE(s.st_mode)),
+        modestr=stat_modestr(s),
+        uid=s.st_uid,
+        gid=s.st_gid,
+        atime=datetime.fromtimestamp(s.st_atime, tz=timezone.utc).isoformat(timespec="microseconds"),
+        mtime=datetime.fromtimestamp(s.st_mtime, tz=timezone.utc).isoformat(timespec="microseconds"),
+        ctime=datetime.fromtimestamp(s.st_ctime, tz=timezone.utc).isoformat(timespec="microseconds"),
+        btime=datetime.fromtimestamp(s.st_birthtime, tz=timezone.utc).isoformat(timespec="microseconds")
+        if hasattr(s, "st_birthtime") and s.st_birthtime
+        else "?",
+    )
+    print(res, file=stdout)
+
+    try:
+        if (xattr := path.get().attr()) and isinstance(xattr, list) and hasattr(xattr[0], "name"):
+            print("  Attr:")
+            print_xattr(path.name, xattr, stdout)
+    except Exception:
+        pass
+
+
+def print_xattr(basename: str, xattr: list, stdout: TextIO) -> None:
+    """Mimics getfattr -d {file} behaviour."""
+    if not hasattr(xattr[0], "name"):
+        return
+
+    XATTR_TEMPLATE = "# file: {basename}\n{attrs}"
+    res = XATTR_TEMPLATE.format(
+        basename=basename, attrs="\n".join([f'{attr.name}="{attr.value.decode()}"' for attr in xattr])
+    )
+    print(res, file=stdout)

dissect/target/tools/info.py

@@ -4,6 +4,7 @@
 import argparse
 import json
 import logging
+from datetime import datetime
 from pathlib import Path
 from typing import Union
 
@@ -138,10 +139,13 @@ def print_target_info(target: Target) -> None:
         if isinstance(value, list):
             value = ", ".join(value)
 
+        if isinstance(value, datetime):
+            value = value.isoformat(timespec="microseconds")
+
         if name == "hostname":
             print()
 
-        print(f"{name.capitalize().replace('_', ' ')}" + (14 - len(name)) * " " + f" : {value}")
+        print(f"{name.capitalize().replace('_', ' '):14s} : {value}")
 
 
 def get_disks_info(target: Target) -> list[dict[str, Union[str, int]]]: