dissect.target 3.19.dev57__py3-none-any.whl → 3.20__py3-none-any.whl

dissect/target/plugins/os/windows/regf/applications.py

@@ -0,0 +1,62 @@
+from datetime import datetime
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.record import WindowsApplicationRecord
+from dissect.target.plugin import Plugin, export
+from dissect.target.target import Target
+
+
+class WindowsApplicationsPlugin(Plugin):
+    """Windows Applications plugin."""
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.keys = list(self.target.registry.keys("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"))
+
+    def check_compatible(self) -> None:
+        if not self.target.has_function("registry"):
+            raise UnsupportedPluginError("No Windows registry found")
+
+        if not self.keys:
+            raise UnsupportedPluginError("No 'Uninstall' registry keys found")
+
+    @export(record=WindowsApplicationRecord)
+    def applications(self) -> Iterator[WindowsApplicationRecord]:
+        """Yields currently installed applications from the Windows registry.
+
+        Use the Windows eventlog plugin (``evtx``, ``evt``) to parse install and uninstall events
+        of applications and services (e.g. ``4697``, ``110707``, ``1034`` and ``11724``).
+
+        Resources:
+            - https://learn.microsoft.com/en-us/windows/win32/msi/uninstall-registry-key
+
+        Yields ``WindowsApplicationRecord`` records with the following fields:
+
+        .. code-block:: text
+
+            ts_modified  (datetime): timestamp when the installation was modified according to the registry
+            ts_installed (datetime): timestamp when the application was installed according to the application
+            name         (string):   name of the application
+            version      (string):   version of the application
+            author       (string):   author of the application
+            type         (string):   type of the application, either user or system
+            path         (string):   path to the installed location or installer of the application
+        """
+        for uninstall in self.keys:
+            for app in uninstall.subkeys():
+                values = {value.name: value.value for value in app.values()}
+
+                if install_date := values.get("InstallDate"):
+                    install_date = datetime.strptime(install_date, "%Y%m%d")
+
+                yield WindowsApplicationRecord(
+                    ts_modified=app.ts,
+                    ts_installed=install_date,
+                    name=values.get("DisplayName") or app.name,
+                    version=values.get("DisplayVersion"),
+                    author=values.get("Publisher"),
+                    type="system" if values.get("SystemComponent") or not values else "user",
+                    path=values.get("DisplayIcon") or values.get("InstallLocation") or values.get("InstallSource"),
+                    _target=self.target,
+                )

dissect/target/plugins/os/windows/regf/auditpol.py

@@ -1,4 +1,5 @@
 import io
+from typing import Iterator
 
 from dissect.cstruct import cstruct
 
@@ -138,7 +139,7 @@ class AuditpolPlugin(Plugin):
             raise UnsupportedPluginError(f"Registry key {self.KEY} not found")
 
     @export(record=AuditPolicyRecord)
-    def auditpol(self):
+    def auditpol(self) -> Iterator[AuditPolicyRecord]:
         """Return audit policy settings from the registry.
 
         For Windows, the audit policy settings are stored in the HKEY_LOCAL_MACHINE\\Security\\Policy\\PolAdtEv registry

dissect/target/plugins/os/windows/regf/bam.py

@@ -1,3 +1,5 @@
+from typing import Iterator
+
 from dissect.cstruct import cstruct
 from dissect.util.ts import wintimestamp
 
@@ -36,7 +38,7 @@ class BamDamPlugin(Plugin):
             raise UnsupportedPluginError("No bam or dam registry keys not found")
 
     @export(record=BamDamRecord)
-    def bam(self):
+    def bam(self) -> Iterator[BamDamRecord]:
         """Parse bam and dam registry keys.
 
         Yields BamDamRecords with fields:

dissect/target/plugins/os/windows/regf/cit.py

@@ -1,12 +1,10 @@
-# Resources:
-# - generaltel.dll
-# - win32k.sys (Windows 7)
-# - win32kbase.sys (Windows 10)
+from __future__ import annotations
 
 import datetime
 import struct
 from binascii import crc32
 from io import BytesIO
+from typing import Iterator, Union, get_args
 
 from dissect.cstruct import cstruct
 from dissect.util.compression import lznt1
@@ -20,6 +18,10 @@ from dissect.target.helpers.record import (
 )
 from dissect.target.plugin import Plugin, export
 
+# Resources:
+# - generaltel.dll
+# - win32k.sys (Windows 7)
+# - win32kbase.sys (Windows 10)
 cit_def = """
 typedef QWORD FILETIME;
 
@@ -353,7 +355,7 @@ CITProgramBitmapForegroundRecord = TargetRecordDescriptor(
 )
 
 
-CIT_RECORDS = [
+CITRecords = Union[
     CITSystemRecord,
     CITSystemBitmapDisplayPowerRecord,
     CITSystemBitmapDisplayRequestChangeRecord,
@@ -602,7 +604,7 @@ class ProgramDataBitmaps(BaseUseDataBitmaps):
         self.foreground = self._parse_bitmap(0)
 
 
-def decode_name(name):
+def decode_name(name: str) -> bytes:
     """Decode the registry key name.
 
     The CIT key name in the registry has some strange encoding.
@@ -642,8 +644,8 @@ class CITPlugin(Plugin):
         if not len(list(self.target.registry.keys(self.KEY))) > 0:
             raise UnsupportedPluginError("No CIT registry key found")
 
-    @export(record=CIT_RECORDS)
-    def cit(self):
+    @export(record=get_args(CITRecords))
+    def cit(self) -> Iterator[CITRecords]:
         """Return CIT data from the registry for executed executable information.
 
         CIT data is stored at HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\System.
@@ -772,7 +774,7 @@ class CITPlugin(Plugin):
                     self.target.log.exception("Failed to parse CIT value: %s", value.name)
 
     @export(record=CITPostUpdateUseInfoRecord)
-    def puu(self):
+    def puu(self) -> Iterator[CITPostUpdateUseInfoRecord]:
         """Parse CIT PUU (Post Update Usage) data from the registry.
 
         Generally only available since Windows 10.
@@ -823,7 +825,7 @@ class CITPlugin(Plugin):
                 )
 
     @export(record=[CITDPRecord, CITDPDurationRecord])
-    def dp(self):
+    def dp(self) -> Iterator[CITDPRecord | CITDPDurationRecord]:
         """Parse CIT DP data from the registry.
 
         Generally only available since Windows 10.
@@ -878,7 +880,7 @@ class CITPlugin(Plugin):
                         )
 
     @export(record=CITTelemetryRecord)
-    def telemetry(self):
+    def telemetry(self) -> Iterator[CITTelemetryRecord]:
         """Parse CIT process telemetry answers from the registry.
 
         In some versions of Windows, processes would get "telemetry answers" set on their process struct, based on
@@ -899,7 +901,7 @@ class CITPlugin(Plugin):
                     )
 
     @export(record=CITModuleRecord)
-    def modules(self):
+    def modules(self) -> Iterator[CITModuleRecord]:
         """Parse CIT tracked module information from the registry.
 
         Contains applications that loaded a tracked module. By default these are:

dissect/target/plugins/os/windows/regf/clsid.py

@@ -1,9 +1,12 @@
+from typing import Iterator
+
 from dissect.target.exceptions import RegistryError, UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import (
     RegistryRecordDescriptorExtension,
     UserRecordDescriptorExtension,
 )
 from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.helpers.regutil import RegistryKey
 from dissect.target.plugin import Plugin, export
 
 CLSIDRecordDescriptor = create_extended_descriptor(
@@ -50,7 +53,7 @@ class CLSIDPlugin(Plugin):
         if not len(list(self.target.registry.keys(list(self.KEYS.values())))) > 0:
             raise UnsupportedPluginError("No CLSID key found")
 
-    def create_records(self, keys):
+    def create_records(self, keys: list[RegistryKey]) -> Iterator[CLSIDRecord]:
         """Iterate all CLSID keys from HKEY_CURRENT_USER\\Software\\Classes\\CLSID and
         HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID.
 
@@ -98,11 +101,11 @@ class CLSIDPlugin(Plugin):
                         )
 
     @export(record=CLSIDRecord)
-    def user(self):
+    def user(self) -> Iterator[CLSIDRecord]:
         """Return only the user CLSID registry keys."""
         yield from self.create_records(self.KEYS["user"])
 
     @export(record=CLSIDRecord)
-    def machine(self):
+    def machine(self) -> Iterator[CLSIDRecord]:
         """Return only the machine CLSID registry keys."""
         yield from self.create_records(self.KEYS["machine"])

dissect/target/plugins/os/windows/regf/firewall.py

@@ -1,4 +1,5 @@
 import re
+from typing import Iterator
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import DynamicDescriptor, TargetRecordDescriptor
@@ -19,7 +20,7 @@ class FirewallPlugin(Plugin):
             raise UnsupportedPluginError(f"Registry key {self.KEY} not found")
 
     @export(record=DynamicDescriptor(["uri"]))
-    def firewall(self):
+    def firewall(self) -> Iterator[DynamicDescriptor]:
         """Return firewall rules saved in the registry.
 
         For a Windows operating system, the Firewall rules are stored in the

dissect/target/plugins/os/windows/regf/mru.py

@@ -1,4 +1,5 @@
 import struct
+from typing import Iterator
 
 from dissect.util.ts import wintimestamp
 
@@ -121,7 +122,7 @@ class MRUPlugin(Plugin):
             return UnsupportedPluginError("Target has no registry")
 
     @export(record=RunMRURecord)
-    def run(self):
+    def run(self) -> Iterator[RunMRURecord]:
         """Return the RunMRU data.
 
         The ``HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU`` registry key contains information
@@ -136,7 +137,7 @@ class MRUPlugin(Plugin):
             yield from parse_mru_key(self.target, key, RunMRURecord)
 
     @export(record=RecentDocsRecord)
-    def recentdocs(self):
+    def recentdocs(self) -> Iterator[RecentDocsRecord]:
         """Return the RecentDocs data.
 
         The ``HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs`` registry key contains
@@ -153,7 +154,7 @@ class MRUPlugin(Plugin):
             yield from parse_mru_ex_key(self.target, key, RecentDocsRecord)
 
     @export(record=OpenSaveMRURecord)
-    def opensave(self):
+    def opensave(self) -> Iterator[OpenSaveMRURecord]:
         """Return the OpenSaveMRU data.
 
         The ``HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU`` registry key
@@ -169,7 +170,7 @@ class MRUPlugin(Plugin):
             yield from parse_mru_key(self.target, key, OpenSaveMRURecord)
 
     @export(record=LastVisitedMRURecord)
-    def lastvisited(self):
+    def lastvisited(self) -> Iterator[LastVisitedMRURecord]:
         """Return the LastVisitedMRU data.
 
         The ``HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU`` registry key
@@ -210,7 +211,7 @@ class MRUPlugin(Plugin):
                 )
 
     @export(record=ACMruRecord)
-    def acmru(self):
+    def acmru(self) -> Iterator[ACMruRecord]:
         """Return the ACMru (Windows Search) data.
 
         The following keys are being searched:
@@ -252,7 +253,7 @@ class MRUPlugin(Plugin):
             yield from parse_mru_ex_key(self.target, key, ACMruRecord)
 
     @export(record=MapNetworkDriveMRURecord)
-    def networkdrive(self):
+    def networkdrive(self) -> Iterator[MapNetworkDriveMRURecord]:
         """Return MRU of mapped network drives.
 
         The HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU registry key contains
@@ -268,7 +269,7 @@ class MRUPlugin(Plugin):
             yield from parse_mru_key(self.target, key, MapNetworkDriveMRURecord)
 
     @export(record=TerminalServerMRURecord)
-    def mstsc(self):
+    def mstsc(self) -> Iterator[TerminalServerMRURecord]:
         """Return Terminal Server Client MRU data."""
 
         KEY = "HKCU\\Software\\Microsoft\\Terminal Server Client\\Default"
@@ -290,7 +291,7 @@ class MRUPlugin(Plugin):
                 )
 
     @export(record=MSOfficeMRURecord)
-    def msoffice(self):
+    def msoffice(self) -> Iterator[MSOfficeMRURecord]:
         """Return MS Office MRU keys."""
 
         KEY = "HKCU\\Software\\Microsoft\\Office"

dissect/target/plugins/os/windows/regf/nethist.py

@@ -1,5 +1,6 @@
 import datetime
 import struct
+from typing import Iterator
 
 from dissect.target.exceptions import RegistryError, UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
@@ -22,6 +23,8 @@ NetworkHistoryRecord = TargetRecordDescriptor(
 
 
 class NethistPlugin(Plugin):
+    """Windows network history plugin."""
+
     KEY = "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Networklist\\Signatures"
     PROFILE_KEY = "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Networklist\\Profiles"
 
@@ -30,7 +33,7 @@ class NethistPlugin(Plugin):
             raise UnsupportedPluginError("No Networklist registry keys found")
 
     @export(record=NetworkHistoryRecord)
-    def network_history(self):
+    def network_history(self) -> Iterator[NetworkHistoryRecord]:
         """Return attached network history.
 
         The HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Networklist\\Signatures and
@@ -38,8 +41,8 @@ class NethistPlugin(Plugin):
         about the networks to which the system has been connected, both wireless and wired.
 
         References:
-            - https://www.weaklink.org/2016/11/windows-network-profile-registry-keys/
-        """
+            - https://web.archive.org/web/20221127181357/https://www.weaklink.org/2016/11/windows-network-profile-registry-keys/
+        """  # noqa: E501
         for key in self.target.registry.keys(self.KEY):
             for kind in key.subkeys():
                 for sig in kind.subkeys():

dissect/target/plugins/os/windows/regf/recentfilecache.py

@@ -1,3 +1,5 @@
+from typing import Iterator
+
 from dissect.cstruct import cstruct
 
 from dissect.target.exceptions import UnsupportedPluginError
@@ -40,7 +42,7 @@ class RecentFileCachePlugin(Plugin):
             raise UnsupportedPluginError("Could not load RecentFileCache.bcf")
 
     @export(record=RecentFileCacheRecord)
-    def recentfilecache(self):
+    def recentfilecache(self) -> Iterator[RecentFileCacheRecord]:
         """Parse RecentFileCache.bcf.
 
         Yields RecentFileCacheRecords with fields:

dissect/target/plugins/os/windows/regf/regf.py

@@ -1,3 +1,7 @@
+from __future__ import annotations
+
+from typing import Iterator
+
 from dissect.target.exceptions import PluginError, UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
@@ -37,7 +41,7 @@ class RegfPlugin(Plugin):
             raise UnsupportedPluginError("Registry plugin not loaded")
 
     @export(record=[RegistryKeyRecord, RegistryValueRecord])
-    def regf(self):
+    def regf(self) -> Iterator[RegistryKeyRecord | RegistryValueRecord]:
         """Return all registry keys and values.
 
         The Windows Registry is a hierarchical database that stores low-level settings for the Windows operating system