dissect.target 3.20.1__py3-none-any.whl → 3.20.2.dev12__py3-none-any.whl

dissect/target/filesystems/dir.py

@@ -27,12 +27,7 @@ class DirectoryFilesystem(Filesystem):
     def _detect(fh: BinaryIO) -> bool:
         raise TypeError("Detect is not allowed on DirectoryFilesystem class")
 
-    def get(self, path: str) -> FilesystemEntry:
-        path = path.strip("/")
-
-        if not path:
-            return DirectoryFilesystemEntry(self, "/", self.base_path)
-
+    def _resolve_path(self, path: str) -> Path:
         if not self.case_sensitive:
             searchpath = self.base_path
 
@@ -48,6 +43,14 @@ class DirectoryFilesystem(Filesystem):
         else:
             entry = self.base_path.joinpath(path.strip("/"))
 
+        return entry
+
+    def get(self, path: str) -> FilesystemEntry:
+        if not (path := path.strip("/")):
+            return DirectoryFilesystemEntry(self, "/", self.base_path)
+
+        entry = self._resolve_path(path)
+
         try:
             entry.lstat()
             return DirectoryFilesystemEntry(self, path, entry)

dissect/target/filesystems/zip.py

@@ -56,7 +56,7 @@ class ZipFilesystem(Filesystem):
             if not mname.startswith(self.base) or mname == ".":
                 continue
 
-            rel_name = fsutil.normpath(mname[len(self.base) :], alt_separator=self.alt_separator)
+            rel_name = self._resolve_path(mname)
             self._fs.map_file_entry(rel_name, ZipFilesystemEntry(self, rel_name, member))
 
     @staticmethod
@@ -64,6 +64,9 @@ class ZipFilesystem(Filesystem):
         """Detect a zip file on a given file-like object."""
         return zipfile.is_zipfile(fh)
 
+    def _resolve_path(self, path: str) -> str:
+        return fsutil.normpath(path[len(self.base) :], alt_separator=self.alt_separator)
+
     def get(self, path: str, relentry: FilesystemEntry = None) -> FilesystemEntry:
         """Returns a ZipFilesystemEntry object corresponding to the given path."""
         return self._fs.get(path, relentry=relentry)

dissect/target/helpers/configutil.py

@@ -470,9 +470,9 @@ class Toml(ConfigurationParser):
 class Env(ConfigurationParser):
     """Parses ``.env`` file contents according to Docker and bash specification.
 
-    Does not apply interpolation of substituted values, eg. ``foo=${bar}`` and does not attempt
-    to parse list or dict strings. Does not support dynamic env files, eg. `` foo=`bar` ``. Also
-    does not support multi-line key/value assignments (yet).
+    Does not apply interpolation of substituted values, e.g. ``foo=${bar}`` and does not attempt to parse list or dict
+    strings. Does not support dynamic env files, e.g. ``foo=`bar```. Also does not support multi-line key/value
+    assignments (yet).
 
     Resources:
         - https://docs.docker.com/compose/environment-variables/variable-interpolation/#env-file-syntax

dissect/target/loaders/dir.py

@@ -36,13 +36,23 @@ def find_entry_path(path: Path) -> str | None:
             return prefix
 
 
-def map_dirs(target: Target, dirs: list[Path | tuple[str, Path]], os_type: str, **kwargs) -> None:
+def map_dirs(
+    target: Target,
+    dirs: list[Path | tuple[str, Path]],
+    os_type: str,
+    *,
+    dirfs: type[DirectoryFilesystem] = DirectoryFilesystem,
+    zipfs: type[ZipFilesystem] = ZipFilesystem,
+    **kwargs,
+) -> None:
     """Map directories as filesystems into the given target.
 
     Args:
         target: The target to map into.
         dirs: The directories to map as filesystems. If a list member is a tuple, the first element is the drive letter.
         os_type: The operating system type, used to determine how the filesystem should be mounted.
+        dirfs: The filesystem class to use for directory filesystems.
+        zipfs: The filesystem class to use for ZIP filesystems.
     """
     alt_separator = ""
     case_sensitive = True
@@ -59,9 +69,9 @@ def map_dirs(target: Target, dirs: list[Path | tuple[str, Path]], os_type: str,
             drive_letter = path.name[0]
 
         if isinstance(path, zipfile.Path):
-            dfs = ZipFilesystem(path.root.fp, path.at, alt_separator=alt_separator, case_sensitive=case_sensitive)
+            dfs = zipfs(path.root.fp, path.at, alt_separator=alt_separator, case_sensitive=case_sensitive)
         else:
-            dfs = DirectoryFilesystem(path, alt_separator=alt_separator, case_sensitive=case_sensitive)
+            dfs = dirfs(path, alt_separator=alt_separator, case_sensitive=case_sensitive)
 
         drive_letter_map[drive_letter].append(dfs)
 

dissect/target/loaders/itunes.py

@@ -163,8 +163,10 @@ class ITunesBackup:
 
     def files(self) -> Iterator[FileInfo]:
         """Iterate all the files in this backup."""
-        for row in self.manifest_db.table("Files").rows():
-            yield FileInfo(self, row.fileID, row.domain, row.relativePath, row.flags, row.file)
+
+        if table := self.manifest_db.table("Files"):
+            for row in table.rows():
+                yield FileInfo(self, row.fileID, row.domain, row.relativePath, row.flags, row.file)
 
 
 class FileInfo:
@@ -288,7 +290,7 @@ def translate_file_path(domain: str, relative_path: str) -> str:
         package_name = ""
 
     domain_path = fsutil.join(DOMAIN_TRANSLATION.get(domain, domain), package_name)
-    return fsutil.join(domain_path, relative_path)
+    return fsutil.join(domain_path, relative_path).rstrip("/")
 
 
 def parse_key_bag(buf: bytes) -> tuple[dict[str, bytes, int], dict[str, ClassKey]]:

dissect/target/loaders/velociraptor.py

@@ -4,7 +4,11 @@ import logging
 import zipfile
 from pathlib import Path
 from typing import TYPE_CHECKING
+from urllib.parse import quote, unquote
 
+from dissect.target.filesystems.dir import DirectoryFilesystem
+from dissect.target.filesystems.zip import ZipFilesystem
+from dissect.target.helpers.fsutil import basename, dirname, join
 from dissect.target.loaders.dir import DirLoader, find_dirs, map_dirs
 from dissect.target.plugin import OperatingSystem
 
@@ -87,11 +91,13 @@ class VelociraptorLoader(DirLoader):
         super().__init__(path)
 
         if path.suffix == ".zip":
-            log.warning(
-                f"Velociraptor target {path!r} is compressed, which will slightly affect performance. "
-                "Consider uncompressing the archive and passing the uncompressed folder to Dissect."
-            )
             self.root = zipfile.Path(path.open("rb"))
+            if self.root.root.getinfo("uploads.json").compress_type > 0:
+                log.warning(
+                    "Velociraptor target '%s' is compressed, which will slightly affect performance. "
+                    "Consider uncompressing the archive and passing the uncompressed folder to Dissect.",
+                    path,
+                )
         else:
             self.root = path
 
@@ -116,14 +122,28 @@ class VelociraptorLoader(DirLoader):
 
     def map(self, target: Target) -> None:
         os_type, dirs = find_fs_directories(self.root)
-        if os_type == OperatingSystem.WINDOWS:
-            # Velociraptor doesn't have the correct filenames for the paths "$J" and "$Secure:$SDS"
-            map_dirs(
-                target,
-                dirs,
-                os_type,
-                usnjrnl_path="$Extend/$UsnJrnl%3A$J",
-                sds_path="$Secure%3A$SDS",
-            )
-        else:
-            map_dirs(target, dirs, os_type)
+
+        # Velociraptor URL encodes paths before storing these in a collection, this leads plugins not being able to find
+        # these paths. To circumvent this issue, for a zip file the path names are URL decoded before mapping into the
+        # VFS and for a directory the paths are URL encoded at lookup time.
+        map_dirs(
+            target,
+            dirs,
+            os_type,
+            dirfs=VelociraptorDirectoryFilesystem,
+            zipfs=VelociraptorZipFilesystem,
+        )
+
+
+class VelociraptorDirectoryFilesystem(DirectoryFilesystem):
+    def _resolve_path(self, path: str) -> Path:
+        path = quote(path, safe="$/% ")
+        if (fname := basename(path)).startswith("."):
+            path = join(dirname(path), fname.replace(".", "%2E", 1))
+
+        return super()._resolve_path(path)
+
+
+class VelociraptorZipFilesystem(ZipFilesystem):
+    def _resolve_path(self, path: str) -> str:
+        return unquote(super()._resolve_path(path))

dissect/target/plugins/apps/browser/iexplore.py

@@ -36,14 +36,18 @@ class WebCache:
             All ``ContainerId`` values for the requested container name.
         """
         try:
-            for container_record in self.db.table("Containers").records():
+            table = self.db.table("Containers")
+
+            for container_record in table.records():
                 if record_name := container_record.get("Name"):
                     record_name = record_name.rstrip("\00").lower()
                     if record_name == name.lower():
                         container_id = container_record.get("ContainerId")
                         yield self.db.table(f"Container_{container_id}")
-        except KeyError:
-            pass
+
+        except KeyError as e:
+            self.target.log.warning("Exception while parsing EseDB Containers table")
+            self.target.log.debug("", exc_info=e)
 
     def _iter_records(self, name: str) -> Iterator[record.Record]:
         """Yield records from a Webcache container.

dissect/target/plugins/general/plugins.py

@@ -169,7 +169,7 @@ class PluginListPlugin(Plugin):
 
 
 def generate_plugins_json(plugins: list[Plugin]) -> Iterator[dict]:
-    """Generates JSON output of a list of :class:`Plugin`s."""
+    """Generates JSON output of a list of :class:`Plugin`."""
 
     for p in plugins:
         func = getattr(p.class_object, p.method_name)

dissect/target/plugins/os/unix/_os.py

@@ -182,7 +182,7 @@ class UnixPlugin(OSPlugin):
             paths (list): list of paths
         """
         redhat_legacy_path = "/etc/sysconfig/network"
-        paths = paths or ["/etc/hostname", "/etc/HOSTNAME", redhat_legacy_path]
+        paths = paths or ["/etc/hostname", "/etc/HOSTNAME", "/proc/sys/kernel/hostname", redhat_legacy_path]
         hostname_dict = {"hostname": None, "domain": None}
 
         for path in paths:

dissect/target/plugins/os/unix/esxi/_os.py

@@ -472,37 +472,39 @@ def parse_config_store(fh: BinaryIO) -> dict[str, Any]:
     db = sqlite3.SQLite3(fh)
 
     store = {}
-    for row in db.table("Config").rows():
-        component_name = row.Component
-        config_group_name = row.ConfigGroup
-        value_group_name = row.Name
-        identifier_name = row.Identifier
-
-        if component_name not in store:
-            store[component_name] = {}
-        component = store[component_name]
-
-        if config_group_name not in component:
-            component[config_group_name] = {}
-        config_group = component[config_group_name]
-
-        if value_group_name not in config_group:
-            config_group[value_group_name] = {}
-        value_group = config_group[value_group_name]
-
-        if identifier_name not in value_group:
-            value_group[identifier_name] = {}
-        identifier = value_group[identifier_name]
-
-        identifier["modified_time"] = row.ModifiedTime
-        identifier["creation_time"] = row.CreationTime
-        identifier["version"] = row.Version
-        identifier["success"] = row.Success
-        identifier["auto_conf_value"] = json.loads(row.AutoConfValue) if row.AutoConfValue else None
-        identifier["user_value"] = json.loads(row.UserValue) if row.UserValue else None
-        identifier["vital_value"] = json.loads(row.VitalValue) if row.VitalValue else None
-        identifier["cached_value"] = json.loads(row.CachedValue) if row.CachedValue else None
-        identifier["desired_value"] = json.loads(row.DesiredValue) if row.DesiredValue else None
-        identifier["revision"] = row.Revision
+
+    if table := db.table("Config"):
+        for row in table.rows():
+            component_name = row.Component
+            config_group_name = row.ConfigGroup
+            value_group_name = row.Name
+            identifier_name = row.Identifier
+
+            if component_name not in store:
+                store[component_name] = {}
+            component = store[component_name]
+
+            if config_group_name not in component:
+                component[config_group_name] = {}
+            config_group = component[config_group_name]
+
+            if value_group_name not in config_group:
+                config_group[value_group_name] = {}
+            value_group = config_group[value_group_name]
+
+            if identifier_name not in value_group:
+                value_group[identifier_name] = {}
+            identifier = value_group[identifier_name]
+
+            identifier["modified_time"] = row.ModifiedTime
+            identifier["creation_time"] = row.CreationTime
+            identifier["version"] = row.Version
+            identifier["success"] = row.Success
+            identifier["auto_conf_value"] = json.loads(row.AutoConfValue) if row.AutoConfValue else None
+            identifier["user_value"] = json.loads(row.UserValue) if row.UserValue else None
+            identifier["vital_value"] = json.loads(row.VitalValue) if row.VitalValue else None
+            identifier["cached_value"] = json.loads(row.CachedValue) if row.CachedValue else None
+            identifier["desired_value"] = json.loads(row.DesiredValue) if row.DesiredValue else None
+            identifier["revision"] = row.Revision
 
     return store