dissect.target 3.19.dev40__py3-none-any.whl → 3.19.dev42__py3-none-any.whl

dissect/target/helpers/utils.py

@@ -13,6 +13,17 @@ from dissect.target.helpers import fsutil
 log = logging.getLogger(__name__)
 
 
+def findall(buf: bytes, needle: bytes) -> Iterator[int]:
+    offset = 0
+    while True:
+        offset = buf.find(needle, offset)
+        if offset == -1:
+            break
+
+        yield offset
+        offset += 1
+
+
 class StrEnum(str, Enum):
     """Sortable and serializible string-based enum"""
 

dissect/target/loaders/tar.py

@@ -1,8 +1,9 @@
+from __future__ import annotations
+
 import logging
 import re
 import tarfile
 from pathlib import Path
-from typing import Union
 
 from dissect.target import filesystem, target
 from dissect.target.filesystems.tar import (
@@ -21,22 +22,25 @@ ANON_FS_RE = re.compile(r"^fs[0-9]+$")
 class TarLoader(Loader):
     """Load tar files."""
 
-    def __init__(self, path: Union[Path, str], **kwargs):
+    def __init__(self, path: Path | str, **kwargs):
         super().__init__(path)
 
+        if isinstance(path, str):
+            path = Path(path)
+
         if self.is_compressed(path):
             log.warning(
                 f"Tar file {path!r} is compressed, which will affect performance. "
                 "Consider uncompressing the archive before passing the tar file to Dissect."
             )
 
-        self.tar = tarfile.open(path)
+        self.tar = tarfile.open(fileobj=path.open("rb"))
 
     @staticmethod
     def detect(path: Path) -> bool:
         return path.name.lower().endswith((".tar", ".tar.gz", ".tgz"))
 
-    def is_compressed(self, path: Union[Path, str]) -> bool:
+    def is_compressed(self, path: Path | str) -> bool:
         return str(path).lower().endswith((".tar.gz", ".tgz"))
 
     def map(self, target: target.Target) -> None:

dissect/target/loaders/velociraptor.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 import zipfile
 from pathlib import Path
-from typing import TYPE_CHECKING, Optional
+from typing import TYPE_CHECKING
 
 from dissect.target.loaders.dir import DirLoader, find_dirs, map_dirs
 from dissect.target.plugin import OperatingSystem
@@ -18,7 +18,7 @@ UNIX_ACCESSORS = ["file", "auto"]
 WINDOWS_ACCESSORS = ["mft", "ntfs", "lazy_ntfs", "ntfs_vss", "auto"]
 
 
-def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional[list[Path]]]:
+def find_fs_directories(path: Path) -> tuple[OperatingSystem | None, list[Path] | None]:
     fs_root = path.joinpath(FILESYSTEMS_ROOT)
 
     # Unix
@@ -56,7 +56,7 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
     return None, None
 
 
-def extract_drive_letter(name: str) -> Optional[str]:
+def extract_drive_letter(name: str) -> str | None:
     # \\.\X: in URL encoding
     if len(name) == 14 and name.startswith("%5C%5C.%5C") and name.endswith("%3A"):
         return name[10].lower()
@@ -91,7 +91,7 @@ class VelociraptorLoader(DirLoader):
                 f"Velociraptor target {path!r} is compressed, which will slightly affect performance. "
                 "Consider uncompressing the archive and passing the uncompressed folder to Dissect."
             )
-            self.root = zipfile.Path(path)
+            self.root = zipfile.Path(path.open("rb"))
         else:
             self.root = path
 
@@ -105,8 +105,8 @@ class VelociraptorLoader(DirLoader):
         #   results/
         #   uploads.json
         #   [...] other files related to the collection
-        if path.suffix == ".zip":  # novermin
-            path = zipfile.Path(path)
+        if path.exists() and path.suffix == ".zip":  # novermin
+            path = zipfile.Path(path.open("rb"))
 
         if path.joinpath(FILESYSTEMS_ROOT).exists() and path.joinpath("uploads.json").exists():
             _, dirs = find_fs_directories(path)

dissect/target/plugin.py

@@ -2,9 +2,11 @@
 
 See dissect/target/plugins/general/example.py for an example plugin.
 """
+
 from __future__ import annotations
 
 import fnmatch
+import functools
 import importlib
 import importlib.util
 import inspect
@@ -196,6 +198,8 @@ class Plugin:
     The :func:`internal` decorator and :class:`InternalPlugin` set the ``__internal__`` attribute.
     Finally. :func:`args` decorator sets the ``__args__`` attribute.
 
+    The :func:`alias` decorator populates the ``__aliases__`` private attribute of :class:`Plugin` methods.
+
     Args:
         target: The :class:`~dissect.target.target.Target` object to load the plugin for.
     """
@@ -448,6 +452,11 @@ def register(plugincls: Type[Plugin]) -> None:
     exports = []
     functions = []
 
+    # First pass to resolve aliases
+    for attr in get_nonprivate_attributes(plugincls):
+        for alias in getattr(attr, "__aliases__", []):
+            clone_alias(plugincls, attr, alias)
+
     for attr in get_nonprivate_attributes(plugincls):
         if isinstance(attr, property):
             attr = attr.fget
@@ -542,6 +551,47 @@ def arg(*args, **kwargs) -> Callable:
     return decorator
 
 
+def alias(*args, **kwargs: dict[str, Any]) -> Callable:
+    """Decorator to be used on :class:`Plugin` functions to register an alias of that function."""
+
+    if not kwargs.get("name") and not args:
+        raise ValueError("Missing argument 'name'")
+
+    def decorator(obj: Callable) -> Callable:
+        if not hasattr(obj, "__aliases__"):
+            obj.__aliases__ = []
+
+        if name := (kwargs.get("name") or args[0]):
+            obj.__aliases__.append(name)
+
+        return obj
+
+    return decorator
+
+
+def clone_alias(cls: type, attr: Callable, alias: str) -> None:
+    """Clone the given attribute to an alias in the provided class."""
+
+    # Clone the function object
+    clone = type(attr)(attr.__code__, attr.__globals__, alias, attr.__defaults__, attr.__closure__)
+    clone.__kwdefaults__ = attr.__kwdefaults__
+
+    # Copy some attributes
+    functools.update_wrapper(clone, attr)
+    if wrapped := getattr(attr, "__wrapped__", None):
+        # update_wrapper sets a new wrapper, we want the original
+        clone.__wrapped__ = wrapped
+
+    # Update module path so we can fool inspect.getmodule with subclassed Plugin classes
+    clone.__module__ = cls.__module__
+
+    # Update the names
+    clone.__name__ = alias
+    clone.__qualname__ = f"{cls.__name__}.{alias}"
+
+    setattr(cls, alias, clone)
+
+
 def plugins(
     osfilter: Optional[type[OSPlugin]] = None,
     special_keys: set[str] = set(),

dissect/target/plugins/os/unix/history.py

@@ -8,7 +8,7 @@ from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
 from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.record import UnixUserRecord, create_extended_descriptor
-from dissect.target.plugin import Plugin, export, internal
+from dissect.target.plugin import Plugin, alias, export, internal
 
 CommandHistoryRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
     "unix/history",
@@ -36,6 +36,7 @@ class CommandHistoryPlugin(Plugin):
         ("sqlite", ".sqlite_history"),
         ("zsh", ".zsh_history"),
         ("ash", ".ash_history"),
+        ("dissect", ".dissect_history"),  # wow so meta
     )
 
     def __init__(self, target: Target):
@@ -56,12 +57,7 @@ class CommandHistoryPlugin(Plugin):
                     history_files.append((shell, history_path, user_details.user))
         return history_files
 
-    @export(record=CommandHistoryRecord)
-    def bashhistory(self):
-        """Deprecated, use commandhistory function."""
-        self.target.log.warn("Function 'bashhistory' is deprecated, use the 'commandhistory' function instead.")
-        return self.commandhistory()
-
+    @alias("bashhistory")
     @export(record=CommandHistoryRecord)
     def commandhistory(self):
         """Return shell history for all users.

dissect/target/plugins/os/windows/catroot.py

@@ -5,6 +5,7 @@ from flow.record.fieldtypes import digest
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.helpers.utils import findall
 from dissect.target.plugin import Plugin, export
 
 try:
@@ -36,17 +37,6 @@ CatrootRecord = TargetRecordDescriptor(
 )
 
 
-def findall(buf: bytes, needle: bytes) -> Iterator[int]:
-    offset = 0
-    while True:
-        offset = buf.find(needle, offset)
-        if offset == -1:
-            break
-
-        yield offset
-        offset += 1
-
-
 def _get_package_name(sequence: Sequence) -> str:
     """Parse sequences within a sequence and return the 'PackageName' value if it exists."""
     for value in sequence.native.values():

dissect/target/plugins/os/windows/jumplist.py

@@ -0,0 +1,292 @@
+from __future__ import annotations
+
+import io
+import logging
+from struct import error as StructError
+from typing import BinaryIO, Iterator
+
+from dissect.cstruct import cstruct
+from dissect.ole import OLE
+from dissect.ole.exceptions import Error as OleError
+from dissect.shellitem.lnk import Lnk
+
+from dissect.target import Target
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.helpers.shell_application_ids import APPLICATION_IDENTIFIERS
+from dissect.target.helpers.utils import findall
+from dissect.target.plugin import Plugin, export
+from dissect.target.plugins.os.windows.lnk import LnkRecord, parse_lnk_file
+
+log = logging.getLogger(__name__)
+
+LNK_GUID = b"\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
+
+JumpListRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "windows/jumplist",
+    [
+        ("string", "type"),
+        ("string", "application_id"),
+        ("string", "application_name"),
+        *LnkRecord.target_fields,
+    ],
+)
+
+
+custom_destination_def = """
+struct header {
+    int version;
+    int unknown1;
+    int unknown2;
+    int value_type;
+}
+
+struct header_end {
+    int number_of_entries;
+}
+
+struct header_end_0 {
+    uint16  name_length;
+    wchar   name[name_length];
+    int     number_of_entries;
+}
+
+struct footer {
+    char magic[4];
+}
+"""
+
+c_custom_destination = cstruct()
+c_custom_destination.load(custom_destination_def)
+
+
+class JumpListFile:
+    def __init__(self, fh: BinaryIO, file_name: str):
+        self.fh = fh
+        self.file_name = file_name
+
+        self.application_id, self.application_type = file_name.split(".")
+        self.application_type = self.application_type.split("-")[0]
+        self.application_name = APPLICATION_IDENTIFIERS.get(self.application_id)
+
+    def __iter__(self) -> Iterator[Lnk]:
+        raise NotImplementedError
+
+    @property
+    def name(self) -> str:
+        """Return the name of the application."""
+        return self.application_name
+
+    @property
+    def id(self) -> str:
+        """Return the application identifier."""
+        return self.application_id
+
+    @property
+    def type(self) -> str:
+        """Return the type of the Jump List file."""
+        return self.application_type
+
+
+class AutomaticDestinationFile(JumpListFile):
+    """Parse Jump List AutomaticDestination file."""
+
+    def __init__(self, fh: BinaryIO, file_name: str):
+        super().__init__(fh, file_name)
+        self.ole = OLE(self.fh)
+
+    def __iter__(self) -> Iterator[Lnk]:
+        for dir_name in self.ole.root.listdir():
+            if dir_name == "DestList":
+                continue
+
+            dir = self.ole.get(dir_name)
+
+            for item in dir.open():
+                try:
+                    yield Lnk(io.BytesIO(item))
+                except StructError:
+                    continue
+                except Exception as e:
+                    log.warning("Failed to parse LNK file from directory %s", dir_name)
+                    log.debug("", exc_info=e)
+                    continue
+
+
+class CustomDestinationFile(JumpListFile):
+    """Parse Jump List CustomDestination file."""
+
+    MAGIC_FOOTER = 0xBABFFBAB
+    VERSIONS = [2]
+
+    def __init__(self, fh: BinaryIO, file_name: str):
+        super().__init__(fh, file_name)
+
+        self.fh.seek(-4, io.SEEK_END)
+        self.footer = c_custom_destination.footer(self.fh.read(4))
+        self.magic = int.from_bytes(self.footer.magic, "little")
+
+        self.fh.seek(0, io.SEEK_SET)
+        self.header = c_custom_destination.header(self.fh)
+        self.version = self.header.version
+
+        if self.header.value_type == 0:
+            self.header_end = c_custom_destination.header_end_0(self.fh)
+        elif self.header.value_type in [1, 2]:
+            self.header_end = c_custom_destination.header_end(self.fh)
+        else:
+            raise NotImplementedError(
+                f"The value_type ({self.header.value_type}) of the CustomDestination file is not implemented"
+            )
+
+        if self.version not in self.VERSIONS:
+            raise NotImplementedError(f"The CustomDestination file has an unsupported version: {self.version}")
+
+        if not self.MAGIC_FOOTER == self.magic:
+            raise ValueError(f"The CustomDestination file has an invalid magic footer: {self.magic}")
+
+    def __iter__(self) -> Iterator[Lnk]:
+        # Searches for all LNK GUID's because the number of entries in the header is not always correct.
+        buf = self.fh.read()
+
+        for offset in findall(buf, LNK_GUID):
+            try:
+                lnk = Lnk(io.BytesIO(buf[offset + len(LNK_GUID) :]))
+                yield lnk
+            except EOFError:
+                break
+            except Exception as e:
+                log.warning("Failed to parse LNK file from a CustomDestination file")
+                log.debug("", exc_info=e)
+                continue
+
+
+class JumpListPlugin(Plugin):
+    """Jump List is a Windows feature introduced in Windows 7.
+
+    It stores information about recently accessed applications and files.
+
+    References:
+        - https://forensics.wiki/jump_lists
+        - https://github.com/libyal/dtformats/blob/main/documentation/Jump%20lists%20format.asciidoc
+    """
+
+    __namespace__ = "jumplist"
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.automatic_destinations = []
+        self.custom_destinations = []
+
+        for user_details in self.target.user_details.all_with_home():
+            for destination in user_details.home_path.glob(
+                "AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/*.customDestinations-ms"
+            ):
+                self.custom_destinations.append([destination, user_details.user])
+
+        for user_details in self.target.user_details.all_with_home():
+            for destination in user_details.home_path.glob(
+                "AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/*.automaticDestinations-ms"
+            ):
+                self.automatic_destinations.append([destination, user_details.user])
+
+    def check_compatible(self) -> None:
+        if not any([self.automatic_destinations, self.custom_destinations]):
+            raise UnsupportedPluginError("No Jump List files found")
+
+    @export(record=JumpListRecord)
+    def custom_destination(self) -> Iterator[JumpListRecord]:
+        """Return the content of CustomDestination Windows Jump Lists.
+
+        These are created when a user pins an application or a file in a Jump List.
+
+        Yields JumpListRecord with fields:
+
+        .. code-block:: text
+
+            type (string): Type of Jump List.
+            application_id (string): ID of the application.
+            application_name (string): Name of the application.
+            lnk_path (path): Path of the link (.lnk) file.
+            lnk_name (string): Name of the link (.lnk) file.
+            lnk_mtime (datetime): Modification time of the link (.lnk) file.
+            lnk_atime (datetime): Access time of the link (.lnk) file.
+            lnk_ctime (datetime): Creation time of the link (.lnk) file.
+            lnk_relativepath (path): Relative path of target file to the link (.lnk) file.
+            lnk_workdir (path): Path of the working directory the link (.lnk) file will execute from.
+            lnk_iconlocation (path): Path of the display icon used for the link (.lnk) file.
+            lnk_arguments (string): Command-line arguments passed to the target (linked) file.
+            local_base_path (string): Absolute path of the target (linked) file.
+            common_path_suffix (string): Suffix of the local_base_path.
+            lnk_full_path (string): Full path of the linked file. Made from local_base_path and common_path_suffix.
+            lnk_net_name (string): Specifies a server share path; for example, "\\\\server\\share".
+            lnk_device_name (string): Specifies a device; for example, the drive letter "D:"
+            machine_id (string): The NetBIOS name of the machine where the linked file was last known to reside.
+            target_mtime (datetime): Modification time of the target (linked) file.
+            target_atime (datetime): Access time of the target (linked) file.
+            target_ctime (datetime): Creation time of the target (linked) file.
+        """
+        yield from self._generate_records(self.custom_destinations, CustomDestinationFile)
+
+    @export(record=JumpListRecord)
+    def automatic_destination(self) -> Iterator[JumpListRecord]:
+        """Return the content of AutomaticDestination Windows Jump Lists.
+
+        These are created automatically when a user opens an application or file.
+
+        Yields JumpListRecord with fields:
+
+        .. code-block:: text
+
+            type (string): Type of Jump List.
+            application_id (string): ID of the application.
+            application_name (string): Name of the application.
+            lnk_path (path): Path of the link (.lnk) file.
+            lnk_name (string): Name of the link (.lnk) file.
+            lnk_mtime (datetime): Modification time of the link (.lnk) file.
+            lnk_atime (datetime): Access time of the link (.lnk) file.
+            lnk_ctime (datetime): Creation time of the link (.lnk) file.
+            lnk_relativepath (path): Relative path of target file to the link (.lnk) file.
+            lnk_workdir (path): Path of the working directory the link (.lnk) file will execute from.
+            lnk_iconlocation (path): Path of the display icon used for the link (.lnk) file.
+            lnk_arguments (string): Command-line arguments passed to the target (linked) file.
+            local_base_path (string): Absolute path of the target (linked) file.
+            common_path_suffix (string): Suffix of the local_base_path.
+            lnk_full_path (string): Full path of the linked file. Made from local_base_path and common_path_suffix.
+            lnk_net_name (string): Specifies a server share path; for example, "\\\\server\\share".
+            lnk_device_name (string): Specifies a device; for example, the drive letter "D:"
+            machine_id (string): The NetBIOS name of the machine where the linked file was last known to reside.
+            target_mtime (datetime): Modification time of the target (linked) file.
+            target_atime (datetime): Access time of the target (linked) file.
+            target_ctime (datetime): Creation time of the target (linked) file.
+        """
+        yield from self._generate_records(self.automatic_destinations, AutomaticDestinationFile)
+
+    def _generate_records(
+        self,
+        destinations: list,
+        destination_file: AutomaticDestinationFile | CustomDestinationFile,
+    ) -> Iterator[JumpListRecord]:
+        for destination, user in destinations:
+            fh = destination.open("rb")
+
+            try:
+                jumplist = destination_file(fh, destination.name)
+            except OleError:
+                continue
+            except Exception as e:
+                self.target.log.warning("Failed to parse Jump List file: %s", destination)
+                self.target.log.debug("", exc_info=e)
+                continue
+
+            for lnk in jumplist:
+                if lnk := parse_lnk_file(self.target, lnk, destination):
+                    yield JumpListRecord(
+                        type=jumplist.type,
+                        application_name=jumplist.name,
+                        application_id=jumplist.id,
+                        **lnk._asdict(),
+                        _user=user,
+                        _target=self.target,
+                    )