dissect.target 3.19.dev40__py3-none-any.whl → 3.19.dev42__py3-none-any.whl

dissect/target/plugins/os/windows/lnk.py

@@ -34,6 +34,89 @@ LnkRecord = TargetRecordDescriptor(
 )
 
 
+def parse_lnk_file(target: Target, lnk_file: Lnk, lnk_path: TargetPath) -> Iterator[LnkRecord]:
+    # we need to get the active codepage from the system to properly decode some values
+    codepage = target.codepage or "ascii"
+
+    lnk_net_name = lnk_device_name = None
+
+    if lnk_file.link_header:
+        lnk_name = lnk_file.stringdata.name_string.string if lnk_file.flag("has_name") else None
+
+        lnk_mtime = ts.from_unix(lnk_path.stat().st_mtime)
+        lnk_atime = ts.from_unix(lnk_path.stat().st_atime)
+        lnk_ctime = ts.from_unix(lnk_path.stat().st_ctime)
+
+        lnk_relativepath = (
+            target.fs.path(lnk_file.stringdata.relative_path.string) if lnk_file.flag("has_relative_path") else None
+        )
+        lnk_workdir = (
+            target.fs.path(lnk_file.stringdata.working_dir.string) if lnk_file.flag("has_working_dir") else None
+        )
+        lnk_iconlocation = (
+            target.fs.path(lnk_file.stringdata.icon_location.string) if lnk_file.flag("has_icon_location") else None
+        )
+        lnk_arguments = lnk_file.stringdata.command_line_arguments.string if lnk_file.flag("has_arguments") else None
+        local_base_path = (
+            lnk_file.linkinfo.local_base_path.decode(codepage)
+            if lnk_file.flag("has_link_info") and lnk_file.linkinfo.flag("volumeid_and_local_basepath")
+            else None
+        )
+        common_path_suffix = (
+            lnk_file.linkinfo.common_path_suffix.decode(codepage) if lnk_file.flag("has_link_info") else None
+        )
+
+        if local_base_path and common_path_suffix:
+            lnk_full_path = target.fs.path(local_base_path + common_path_suffix)
+        elif local_base_path and not common_path_suffix:
+            lnk_full_path = target.fs.path(local_base_path)
+        else:
+            lnk_full_path = None
+
+        if lnk_file.flag("has_link_info"):
+            if lnk_file.linkinfo.flag("common_network_relative_link_and_pathsuffix"):
+                lnk_net_name = (
+                    lnk_file.linkinfo.common_network_relative_link.net_name.decode()
+                    if lnk_file.linkinfo.common_network_relative_link.net_name
+                    else None
+                )
+                lnk_device_name = (
+                    lnk_file.linkinfo.common_network_relative_link.device_name.decode()
+                    if lnk_file.linkinfo.common_network_relative_link.device_name
+                    else None
+                )
+        try:
+            machine_id = lnk_file.extradata.TRACKER_PROPS.machine_id.decode(codepage).strip("\x00")
+        except AttributeError:
+            machine_id = None
+
+        target_mtime = ts.wintimestamp(lnk_file.link_header.write_time)
+        target_atime = ts.wintimestamp(lnk_file.link_header.access_time)
+        target_ctime = ts.wintimestamp(lnk_file.link_header.creation_time)
+
+        return LnkRecord(
+            lnk_path=lnk_path,
+            lnk_name=lnk_name,
+            lnk_mtime=lnk_mtime,
+            lnk_atime=lnk_atime,
+            lnk_ctime=lnk_ctime,
+            lnk_relativepath=lnk_relativepath,
+            lnk_workdir=lnk_workdir,
+            lnk_iconlocation=lnk_iconlocation,
+            lnk_arguments=lnk_arguments,
+            local_base_path=local_base_path,
+            common_path_suffix=common_path_suffix,
+            lnk_full_path=lnk_full_path,
+            lnk_net_name=lnk_net_name,
+            lnk_device_name=lnk_device_name,
+            machine_id=machine_id,
+            target_mtime=target_mtime,
+            target_atime=target_atime,
+            target_ctime=target_ctime,
+            _target=target,
+        )
+
+
 class LnkPlugin(Plugin):
     def __init__(self, target: Target) -> None:
         super().__init__(target)
@@ -74,97 +157,9 @@ class LnkPlugin(Plugin):
             target_ctime (datetime): Creation time of the target (linked) file.
         """
 
-        # we need to get the active codepage from the system to properly decode some values
-        codepage = self.target.codepage or "ascii"
-
         for entry in self.lnk_entries(path):
             lnk_file = Lnk(entry.open())
-            lnk_net_name = lnk_device_name = None
-
-            if lnk_file.link_header:
-                lnk_path = entry
-                lnk_name = lnk_file.stringdata.name_string.string if lnk_file.flag("has_name") else None
-
-                lnk_mtime = ts.from_unix(entry.stat().st_mtime)
-                lnk_atime = ts.from_unix(entry.stat().st_atime)
-                lnk_ctime = ts.from_unix(entry.stat().st_ctime)
-
-                lnk_relativepath = (
-                    self.target.fs.path(lnk_file.stringdata.relative_path.string)
-                    if lnk_file.flag("has_relative_path")
-                    else None
-                )
-                lnk_workdir = (
-                    self.target.fs.path(lnk_file.stringdata.working_dir.string)
-                    if lnk_file.flag("has_working_dir")
-                    else None
-                )
-                lnk_iconlocation = (
-                    self.target.fs.path(lnk_file.stringdata.icon_location.string)
-                    if lnk_file.flag("has_icon_location")
-                    else None
-                )
-                lnk_arguments = (
-                    lnk_file.stringdata.command_line_arguments.string if lnk_file.flag("has_arguments") else None
-                )
-                local_base_path = (
-                    lnk_file.linkinfo.local_base_path.decode(codepage)
-                    if lnk_file.flag("has_link_info") and lnk_file.linkinfo.flag("volumeid_and_local_basepath")
-                    else None
-                )
-                common_path_suffix = (
-                    lnk_file.linkinfo.common_path_suffix.decode(codepage) if lnk_file.flag("has_link_info") else None
-                )
-
-                if local_base_path and common_path_suffix:
-                    lnk_full_path = self.target.fs.path(local_base_path + common_path_suffix)
-                elif local_base_path and not common_path_suffix:
-                    lnk_full_path = self.target.fs.path(local_base_path)
-                else:
-                    lnk_full_path = None
-
-                if lnk_file.flag("has_link_info"):
-                    if lnk_file.linkinfo.flag("common_network_relative_link_and_pathsuffix"):
-                        lnk_net_name = (
-                            lnk_file.linkinfo.common_network_relative_link.net_name.decode()
-                            if lnk_file.linkinfo.common_network_relative_link.net_name
-                            else None
-                        )
-                        lnk_device_name = (
-                            lnk_file.linkinfo.common_network_relative_link.device_name.decode()
-                            if lnk_file.linkinfo.common_network_relative_link.device_name
-                            else None
-                        )
-                try:
-                    machine_id = lnk_file.extradata.TRACKER_PROPS.machine_id.decode(codepage).strip("\x00")
-                except AttributeError:
-                    machine_id = None
-
-                target_mtime = ts.wintimestamp(lnk_file.link_header.write_time)
-                target_atime = ts.wintimestamp(lnk_file.link_header.access_time)
-                target_ctime = ts.wintimestamp(lnk_file.link_header.creation_time)
-
-                yield LnkRecord(
-                    lnk_path=lnk_path,
-                    lnk_name=lnk_name,
-                    lnk_mtime=lnk_mtime,
-                    lnk_atime=lnk_atime,
-                    lnk_ctime=lnk_ctime,
-                    lnk_relativepath=lnk_relativepath,
-                    lnk_workdir=lnk_workdir,
-                    lnk_iconlocation=lnk_iconlocation,
-                    lnk_arguments=lnk_arguments,
-                    local_base_path=local_base_path,
-                    common_path_suffix=common_path_suffix,
-                    lnk_full_path=lnk_full_path,
-                    lnk_net_name=lnk_net_name,
-                    lnk_device_name=lnk_device_name,
-                    machine_id=machine_id,
-                    target_mtime=target_mtime,
-                    target_atime=target_atime,
-                    target_ctime=target_ctime,
-                    _target=self.target,
-                )
+            yield parse_lnk_file(self.target, lnk_file, entry)
 
     def lnk_entries(self, path: Optional[str] = None) -> Iterator[TargetPath]:
         if path:

dissect/target/target.py

@@ -87,7 +87,7 @@ class Target:
         self._applied = False
 
         try:
-            self._config = config.load([self.path, os.getcwd()])
+            self._config = config.load([self.path, Path.cwd(), Path.home()])
         except Exception as e:
             self.log.warning("Error loading config file: %s", self.path)
             self.log.debug("", exc_info=e)

dissect/target/tools/fs.py

@@ -2,9 +2,7 @@
 # -*- coding: utf-8 -*-
 
 import argparse
-import datetime
 import logging
-import operator
 import os
 import pathlib
 import shutil
@@ -13,7 +11,7 @@ import sys
 from dissect.target import Target
 from dissect.target.exceptions import TargetError
 from dissect.target.helpers.fsutil import TargetPath
-from dissect.target.tools.shell import stat_modestr
+from dissect.target.tools.fsutils import print_ls, print_stat
 from dissect.target.tools.utils import (
     catch_sigpipe,
     configure_generic_arguments,
@@ -25,11 +23,6 @@ logging.lastResort = None
 logging.raiseExceptions = False
 
 
-def human_size(bytes: int, units: list[str] = ["", "K", "M", "G", "T", "P", "E"]) -> str:
-    """Helper function to return the human readable string representation of bytes."""
-    return str(bytes) + units[0] if bytes < 1024 else human_size(bytes >> 10, units[1:])
-
-
 def ls(t: Target, path: TargetPath, args: argparse.Namespace) -> None:
     if args.use_ctime and args.use_atime:
         log.error("Can't specify -c and -u at the same time")
@@ -37,63 +30,20 @@ def ls(t: Target, path: TargetPath, args: argparse.Namespace) -> None:
     if not path or not path.exists():
         return
 
-    _print_ls(args, path, 0)
-
-
-def _print_ls(args: argparse.Namespace, path: TargetPath, depth: int) -> None:
-    subdirs = []
-
-    if path.is_dir():
-        contents = sorted(path.iterdir(), key=operator.attrgetter("name"))
-    elif path.is_file():
-        contents = [path]
-
-    if depth > 0:
-        print(f"\n{str(path)}:")
-
-    if not args.l:
-        for entry in contents:
-            print(entry.name)
-
-            if entry.is_dir():
-                subdirs.append(entry)
-    else:
-        if len(contents) > 1:
-            print(f"total {len(contents)}")
-
-        for entry in contents:
-            _print_extensive_file_stat(args, entry, entry.name)
-
-            if entry.is_dir():
-                subdirs.append(entry)
-
-    if args.recursive and subdirs:
-        for subdir in subdirs:
-            _print_ls(args, subdir, depth + 1)
-
-
-def _print_extensive_file_stat(args: argparse.Namespace, path: TargetPath, name: str) -> None:
-    try:
-        entry = path.get()
-        stat = entry.lstat()
-        symlink = f" -> {entry.readlink()}" if entry.is_symlink() else ""
-        show_time = stat.st_mtime
-
-        if args.use_ctime:
-            show_time = stat.st_ctime
-        elif args.use_atime:
-            show_time = stat.st_atime
-
-        utc_time = datetime.datetime.utcfromtimestamp(show_time).isoformat()
-
-        if args.human_readable:
-            size = human_size(stat.st_size)
-        else:
-            size = stat.st_size
-
-        print(f"{stat_modestr(stat)} {stat.st_uid:4d} {stat.st_gid:4d} {size:>6s} {utc_time} {name}{symlink}")
-    except FileNotFoundError:
-        print(f"??????????    ?    ?      ? ????-??-??T??:??:??.?????? {name}")
+    # Only output with colors if stdout is a tty
+    use_colors = sys.stdout.buffer.isatty()
+
+    print_ls(
+        path,
+        0,
+        sys.stdout,
+        args.l,
+        args.human_readable,
+        args.recursive,
+        args.use_ctime,
+        args.use_atime,
+        use_colors,
+    )
 
 
 def cat(t: Target, path: TargetPath, args: argparse.Namespace) -> None:
@@ -120,6 +70,12 @@ def cp(t: Target, path: TargetPath, args: argparse.Namespace) -> None:
         print("[!] Failed, unsuported file type: %s" % path)
 
 
+def stat(t: Target, path: TargetPath, args: argparse.Namespace) -> None:
+    if not path or not path.exists():
+        return
+    print_stat(path, sys.stdout, args.dereference)
+
+
 def _extract_path(path: TargetPath, output_path: str) -> None:
     print("%s -> %s" % (path, output_path))
 
@@ -172,6 +128,10 @@ def main() -> None:
     parser_cat = subparsers.add_parser("cat", help="dump file contents", parents=[baseparser])
     parser_cat.set_defaults(handler=cat)
 
+    parser_stat = subparsers.add_parser("stat", help="display file status", parents=[baseparser])
+    parser_stat.add_argument("-L", "--dereference", action="store_true")
+    parser_stat.set_defaults(handler=stat)
+
     parser_find = subparsers.add_parser("walk", help="perform a walk", parents=[baseparser])
     parser_find.set_defaults(handler=walk)
 

dissect/target/tools/fsutils.py

@@ -0,0 +1,243 @@
+from __future__ import annotations
+
+import os
+import stat
+from datetime import datetime, timezone
+from typing import TextIO
+
+from dissect.target.exceptions import FileNotFoundError
+from dissect.target.filesystem import FilesystemEntry, LayerFilesystemEntry
+from dissect.target.helpers import fsutil
+from dissect.target.helpers.fsutil import TargetPath
+
+# ['mode', 'addr', 'dev', 'nlink', 'uid', 'gid', 'size', 'atime', 'mtime', 'ctime']
+STAT_TEMPLATE = """  File: {path} {symlink}
+  Size: {size}       Blocks: {blocks}    IO Block: {blksize}     {filetype}
+Device: {device}     Inode: {inode}      Links: {nlink}
+Access: ({modeord}/{modestr})  Uid: ( {uid} )   Gid: ( {gid} )
+Access: {atime}
+Modify: {mtime}
+Change: {ctime}
+ Birth: {btime}"""
+
+FALLBACK_LS_COLORS = "rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32"  # noqa: E501
+
+
+def prepare_ls_colors() -> dict[str, str]:
+    """Parse the LS_COLORS environment variable so we can use it later."""
+    d = {}
+    ls_colors = os.environ.get("LS_COLORS", FALLBACK_LS_COLORS)
+    for line in ls_colors.split(":"):
+        if not line:
+            continue
+
+        ft, _, value = line.partition("=")
+        if ft.startswith("*"):
+            ft = ft[1:]
+
+        d[ft] = f"\x1b[{value}m{{}}\x1b[0m"
+
+    return d
+
+
+LS_COLORS = prepare_ls_colors()
+
+
+def fmt_ls_colors(ft: str, name: str) -> str:
+    """Helper method to colorize strings according to LS_COLORS."""
+    try:
+        return LS_COLORS[ft].format(name)
+    except KeyError:
+        pass
+
+    try:
+        return LS_COLORS[fsutil.splitext(name)[1]].format(name)
+    except KeyError:
+        pass
+
+    return name
+
+
+def human_size(bytes: int, units: list[str] = ["", "K", "M", "G", "T", "P", "E"]) -> str:
+    """Helper function to return the human readable string representation of bytes."""
+    return str(bytes) + units[0] if bytes < 1024 else human_size(bytes >> 10, units[1:])
+
+
+def stat_modestr(st: fsutil.stat_result) -> str:
+    """Helper method for generating a mode string from a numerical mode value."""
+    return stat.filemode(st.st_mode)
+
+
+def print_extensive_file_stat_listing(
+    stdout: TextIO,
+    name: str,
+    entry: FilesystemEntry | None = None,
+    timestamp: datetime | None = None,
+    human_readable: bool = False,
+) -> None:
+    """Print the file status as a single line."""
+    if entry is not None:
+        try:
+            entry_stat = entry.lstat()
+            if timestamp is None:
+                timestamp = entry_stat.st_mtime
+            symlink = f" -> {entry.readlink()}" if entry.is_symlink() else ""
+            utc_time = datetime.fromtimestamp(timestamp, tz=timezone.utc).isoformat(timespec="microseconds")
+            size = f"{human_size(entry_stat.st_size):5s}" if human_readable else f"{entry_stat.st_size:10d}"
+
+            print(
+                (
+                    f"{stat_modestr(entry_stat)} {entry_stat.st_uid:4d} {entry_stat.st_gid:4d} {size} "
+                    f"{utc_time} {name}{symlink}"
+                ),
+                file=stdout,
+            )
+            return
+        except FileNotFoundError:
+            pass
+
+    hr_spaces = f"{'':5s}" if human_readable else " "
+    regular_spaces = f"{'':10s}" if not human_readable else " "
+
+    print(f"??????????    ?    ?{regular_spaces}?{hr_spaces}????-??-??T??:??:??.??????+??:?? {name}", file=stdout)
+
+
+def ls_scandir(path: fsutil.TargetPath, color: bool = False) -> list[tuple[fsutil.TargetPath, str]]:
+    """List a directory for the given path."""
+    result = []
+    if not path.exists() or not path.is_dir():
+        return []
+
+    for file_ in path.iterdir():
+        file_type = None
+        if color:
+            if file_.is_symlink():
+                file_type = "ln"
+            elif file_.is_dir():
+                file_type = "di"
+            elif file_.is_file():
+                file_type = "fi"
+
+        result.append((file_, fmt_ls_colors(file_type, file_.name) if color else file_.name))
+
+        # If we happen to scan an NTFS filesystem see if any of the
+        # entries has an alternative data stream and also list them.
+        entry = file_.get()
+        if isinstance(entry, LayerFilesystemEntry):
+            if entry.entries.fs.__type__ == "ntfs":
+                attrs = entry.lattr()
+                for data_stream in attrs.DATA:
+                    if data_stream.name != "":
+                        name = f"{file_.name}:{data_stream.name}"
+                        result.append((file_, fmt_ls_colors(file_type, name) if color else name))
+
+    result.sort(key=lambda e: e[0].name)
+
+    return result
+
+
+def print_ls(
+    path: fsutil.TargetPath,
+    depth: int,
+    stdout: TextIO,
+    long_listing: bool = False,
+    human_readable: bool = False,
+    recursive: bool = False,
+    use_ctime: bool = False,
+    use_atime: bool = False,
+    color: bool = True,
+) -> None:
+    """Print ls output"""
+    subdirs = []
+
+    if path.is_dir():
+        contents = ls_scandir(path, color)
+    elif path.is_file():
+        contents = [(path, path.name)]
+
+    if depth > 0:
+        print(f"\n{str(path)}:", file=stdout)
+
+    if not long_listing:
+        for target_path, name in contents:
+            print(name, file=stdout)
+            if target_path.is_dir():
+                subdirs.append(target_path)
+    else:
+        if len(contents) > 1:
+            print(f"total {len(contents)}", file=stdout)
+        for target_path, name in contents:
+            try:
+                entry = target_path.get()
+                entry_stat = entry.lstat()
+                show_time = entry_stat.st_mtime
+                if use_ctime:
+                    show_time = entry_stat.st_ctime
+                elif use_atime:
+                    show_time = entry_stat.st_atime
+            except FileNotFoundError:
+                entry = None
+                show_time = None
+            print_extensive_file_stat_listing(stdout, name, entry, show_time, human_readable)
+            if target_path.is_dir():
+                subdirs.append(target_path)
+
+    if recursive and subdirs:
+        for subdir in subdirs:
+            print_ls(subdir, depth + 1, stdout, long_listing, human_readable, recursive, use_ctime, use_atime, color)
+
+
+def print_stat(path: fsutil.TargetPath, stdout: TextIO, dereference: bool = False) -> None:
+    """Print file status."""
+    symlink = f"-> {path.readlink()}" if path.is_symlink() else ""
+    s = path.stat() if dereference else path.lstat()
+
+    def filetype(path: TargetPath) -> str:
+        if path.is_dir():
+            return "directory"
+        elif path.is_symlink():
+            return "symbolic link"
+        elif path.is_file():
+            return "regular file"
+
+    res = STAT_TEMPLATE.format(
+        path=path,
+        symlink=symlink,
+        size=s.st_size,
+        filetype=filetype(path),
+        device="?",
+        inode=s.st_ino,
+        blocks=s.st_blocks or "?",
+        blksize=s.st_blksize or "?",
+        nlink=s.st_nlink,
+        modeord=oct(stat.S_IMODE(s.st_mode)),
+        modestr=stat_modestr(s),
+        uid=s.st_uid,
+        gid=s.st_gid,
+        atime=datetime.fromtimestamp(s.st_atime, tz=timezone.utc).isoformat(timespec="microseconds"),
+        mtime=datetime.fromtimestamp(s.st_mtime, tz=timezone.utc).isoformat(timespec="microseconds"),
+        ctime=datetime.fromtimestamp(s.st_ctime, tz=timezone.utc).isoformat(timespec="microseconds"),
+        btime=datetime.fromtimestamp(s.st_birthtime, tz=timezone.utc).isoformat(timespec="microseconds")
+        if hasattr(s, "st_birthtime") and s.st_birthtime
+        else "?",
+    )
+    print(res, file=stdout)
+
+    try:
+        if (xattr := path.get().attr()) and isinstance(xattr, list) and hasattr(xattr[0], "name"):
+            print("  Attr:")
+            print_xattr(path.name, xattr, stdout)
+    except Exception:
+        pass
+
+
+def print_xattr(basename: str, xattr: list, stdout: TextIO) -> None:
+    """Mimics getfattr -d {file} behaviour."""
+    if not hasattr(xattr[0], "name"):
+        return
+
+    XATTR_TEMPLATE = "# file: {basename}\n{attrs}"
+    res = XATTR_TEMPLATE.format(
+        basename=basename, attrs="\n".join([f'{attr.name}="{attr.value.decode()}"' for attr in xattr])
+    )
+    print(res, file=stdout)

dissect/target/tools/info.py

@@ -4,6 +4,7 @@
 import argparse
 import json
 import logging
+from datetime import datetime
 from pathlib import Path
 from typing import Union
 
@@ -138,10 +139,13 @@ def print_target_info(target: Target) -> None:
         if isinstance(value, list):
             value = ", ".join(value)
 
+        if isinstance(value, datetime):
+            value = value.isoformat(timespec="microseconds")
+
         if name == "hostname":
             print()
 
-        print(f"{name.capitalize().replace('_', ' ')}" + (14 - len(name)) * " " + f" : {value}")
+        print(f"{name.capitalize().replace('_', ' '):14s} : {value}")
 
 
 def get_disks_info(target: Target) -> list[dict[str, Union[str, int]]]: