dissect.target 3.20.dev13__py3-none-any.whl → 3.20.dev15__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dissect/target/plugins/filesystem/ntfs/mft.py +8 -6
- dissect/target/tools/shell.py +43 -0
- {dissect.target-3.20.dev13.dist-info → dissect.target-3.20.dev15.dist-info}/METADATA +1 -1
- {dissect.target-3.20.dev13.dist-info → dissect.target-3.20.dev15.dist-info}/RECORD +9 -9
- {dissect.target-3.20.dev13.dist-info → dissect.target-3.20.dev15.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.20.dev13.dist-info → dissect.target-3.20.dev15.dist-info}/LICENSE +0 -0
- {dissect.target-3.20.dev13.dist-info → dissect.target-3.20.dev15.dist-info}/WHEEL +0 -0
- {dissect.target-3.20.dev13.dist-info → dissect.target-3.20.dev15.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.20.dev13.dist-info → dissect.target-3.20.dev15.dist-info}/top_level.txt +0 -0
|
@@ -105,6 +105,7 @@ FilesystemMACBRecord = TargetRecordDescriptor(
|
|
|
105
105
|
("filesize", "filesize"),
|
|
106
106
|
("boolean", "resident"),
|
|
107
107
|
("boolean", "inuse"),
|
|
108
|
+
("boolean", "ads"),
|
|
108
109
|
("string", "volume_uuid"),
|
|
109
110
|
],
|
|
110
111
|
)
|
|
@@ -151,7 +152,7 @@ class MftPlugin(Plugin):
|
|
|
151
152
|
"--macb",
|
|
152
153
|
group="fmt",
|
|
153
154
|
action="store_true",
|
|
154
|
-
help="compacts
|
|
155
|
+
help="compacts MFT timestamps into MACB bitfield (format: MACB[standard|ads]/MACB[filename])",
|
|
155
156
|
)
|
|
156
157
|
def mft(
|
|
157
158
|
self, compact: bool = False, fs: int | None = None, start: int = 0, end: int = -1, macb: bool = False
|
|
@@ -342,12 +343,13 @@ def macb_aggr(records: list[Record]) -> Iterator[Record]:
|
|
|
342
343
|
for record in records:
|
|
343
344
|
found = False
|
|
344
345
|
|
|
345
|
-
|
|
346
|
-
|
|
346
|
+
offset = 0
|
|
347
|
+
if not getattr(record, "ads", False):
|
|
348
|
+
offset = int(record._desc.name == "filesystem/ntfs/mft/filename") * 5
|
|
347
349
|
|
|
348
|
-
field = "MACB".find(record.ts_type) +
|
|
350
|
+
field = "MACB".find(record.ts_type) + offset
|
|
349
351
|
for macb in macbs:
|
|
350
|
-
if macb.ts == record.ts:
|
|
352
|
+
if macb.ts == record.ts and macb.path == record.path:
|
|
351
353
|
macb.macb = macb_set(macb.macb, field, record.ts_type)
|
|
352
354
|
found = True
|
|
353
355
|
break
|
|
@@ -356,7 +358,7 @@ def macb_aggr(records: list[Record]) -> Iterator[Record]:
|
|
|
356
358
|
continue
|
|
357
359
|
|
|
358
360
|
macb = FilesystemMACBRecord.init_from_record(record)
|
|
359
|
-
macb.macb = "
|
|
361
|
+
macb.macb = "..../...."
|
|
360
362
|
macb.macb = macb_set(macb.macb, field, record.ts_type)
|
|
361
363
|
|
|
362
364
|
macbs.append(macb)
|
dissect/target/tools/shell.py
CHANGED
|
@@ -95,6 +95,7 @@ class ExtendedCmd(cmd.Cmd):
|
|
|
95
95
|
"""
|
|
96
96
|
|
|
97
97
|
CMD_PREFIX = "cmd_"
|
|
98
|
+
_runtime_aliases = {}
|
|
98
99
|
|
|
99
100
|
def __init__(self, cyber: bool = False):
|
|
100
101
|
cmd.Cmd.__init__(self)
|
|
@@ -164,6 +165,11 @@ class ExtendedCmd(cmd.Cmd):
|
|
|
164
165
|
return None
|
|
165
166
|
|
|
166
167
|
def default(self, line: str) -> bool:
|
|
168
|
+
com, arg, _ = self.parseline(line)
|
|
169
|
+
if com in self._runtime_aliases:
|
|
170
|
+
expanded = " ".join([self._runtime_aliases[com], arg])
|
|
171
|
+
return self.onecmd(expanded)
|
|
172
|
+
|
|
167
173
|
if (should_exit := self._handle_command(line)) is not None:
|
|
168
174
|
return should_exit
|
|
169
175
|
|
|
@@ -230,6 +236,43 @@ class ExtendedCmd(cmd.Cmd):
|
|
|
230
236
|
def complete_man(self, *args) -> list[str]:
|
|
231
237
|
return cmd.Cmd.complete_help(self, *args)
|
|
232
238
|
|
|
239
|
+
def do_unalias(self, line: str) -> bool:
|
|
240
|
+
"""delete runtime alias"""
|
|
241
|
+
aliases = list(shlex.shlex(line, posix=True))
|
|
242
|
+
for aliased in aliases:
|
|
243
|
+
if aliased in self._runtime_aliases:
|
|
244
|
+
del self._runtime_aliases[aliased]
|
|
245
|
+
else:
|
|
246
|
+
print(f"alias {aliased} not found")
|
|
247
|
+
return False
|
|
248
|
+
|
|
249
|
+
def do_alias(self, line: str) -> bool:
|
|
250
|
+
"""create a runtime alias"""
|
|
251
|
+
args = list(shlex.shlex(line, posix=True))
|
|
252
|
+
|
|
253
|
+
if not args:
|
|
254
|
+
for aliased, command in self._runtime_aliases.items():
|
|
255
|
+
print(f"alias {aliased}={command}")
|
|
256
|
+
return False
|
|
257
|
+
|
|
258
|
+
while args:
|
|
259
|
+
alias_name = args.pop(0)
|
|
260
|
+
try:
|
|
261
|
+
equals = args.pop(0)
|
|
262
|
+
# our parser works different, so we have to stop this
|
|
263
|
+
if equals != "=":
|
|
264
|
+
raise RuntimeError("Token not allowed")
|
|
265
|
+
expanded = args.pop(0) if args else "" # this is how it works in bash
|
|
266
|
+
self._runtime_aliases[alias_name] = expanded
|
|
267
|
+
except IndexError:
|
|
268
|
+
if alias_name in self._runtime_aliases:
|
|
269
|
+
print(f"alias {alias_name}={self._runtime_aliases[alias_name]}")
|
|
270
|
+
else:
|
|
271
|
+
print(f"alias {alias_name} not found")
|
|
272
|
+
pass
|
|
273
|
+
|
|
274
|
+
return False
|
|
275
|
+
|
|
233
276
|
def do_clear(self, line: str) -> bool:
|
|
234
277
|
"""clear the terminal screen"""
|
|
235
278
|
os.system("cls||clear")
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: dissect.target
|
|
3
|
-
Version: 3.20.
|
|
3
|
+
Version: 3.20.dev15
|
|
4
4
|
Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
|
|
5
5
|
Author-email: Dissect Team <dissect@fox-it.com>
|
|
6
6
|
License: Affero General Public License v3
|
|
@@ -170,7 +170,7 @@ dissect/target/plugins/filesystem/resolver.py,sha256=HfyASUFV4F9uD-yFXilFpPTORAs
|
|
|
170
170
|
dissect/target/plugins/filesystem/walkfs.py,sha256=rklbN805roy2fKAQe5L1JhTvI0qNgGS70ZNGFwevLB0,2740
|
|
171
171
|
dissect/target/plugins/filesystem/yara.py,sha256=zh4hU3L_egddLqDeaHDVuCWYhTlNzPYPVak36Q6IMxI,6621
|
|
172
172
|
dissect/target/plugins/filesystem/ntfs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
173
|
-
dissect/target/plugins/filesystem/ntfs/mft.py,sha256=
|
|
173
|
+
dissect/target/plugins/filesystem/ntfs/mft.py,sha256=2YEkdPpMz4WcXHUD4SnB8kCkZgXRgeXgXf827F1nh3w,12429
|
|
174
174
|
dissect/target/plugins/filesystem/ntfs/mft_timeline.py,sha256=vvNFAZbr7s3X2OTYf4ES_L6-XsouTXcTymfxnHfZ1Rw,6791
|
|
175
175
|
dissect/target/plugins/filesystem/ntfs/usnjrnl.py,sha256=uiT1ipmcAo__6VIUi8R_vvIu22vdnjMACKwLSAbzYjs,3704
|
|
176
176
|
dissect/target/plugins/filesystem/ntfs/utils.py,sha256=xG7Lgw9NX4tDDrZVRm0vycFVJTOM7j-HrjqzDh0f4uA,3136
|
|
@@ -350,7 +350,7 @@ dissect/target/tools/logging.py,sha256=5ZnumtMWLyslxfrUGZ4ntRyf3obOOhmn8SBjKfdLc
|
|
|
350
350
|
dissect/target/tools/mount.py,sha256=8GRYnu4xEmFBHxuIZAYhOMyyTGX8fat1Ou07DNiUnW4,3945
|
|
351
351
|
dissect/target/tools/query.py,sha256=e-yAN9zdQjuOiTuoOQoo17mVEQGGcOgaA9YkF4GYpkM,15394
|
|
352
352
|
dissect/target/tools/reg.py,sha256=FDsiBBDxjWVUBTRj8xn82vZe-J_d9piM-TKS3PHZCcM,3193
|
|
353
|
-
dissect/target/tools/shell.py,sha256=
|
|
353
|
+
dissect/target/tools/shell.py,sha256=7jur65pFugpZHyfA0MkaMPCYWZPUSFjhkFQZO8IBYXQ,52077
|
|
354
354
|
dissect/target/tools/utils.py,sha256=JJZDSso1CEK2sv4Z3HJNgqxH6G9S5lbmV-C3h-XmcMo,12035
|
|
355
355
|
dissect/target/tools/yara.py,sha256=70k-2VMulf1EdkX03nCACzejaOEcsFHOyX-4E40MdQU,2044
|
|
356
356
|
dissect/target/tools/dump/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
@@ -365,10 +365,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
|
|
|
365
365
|
dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
|
|
366
366
|
dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
|
|
367
367
|
dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
|
|
368
|
-
dissect.target-3.20.
|
|
369
|
-
dissect.target-3.20.
|
|
370
|
-
dissect.target-3.20.
|
|
371
|
-
dissect.target-3.20.
|
|
372
|
-
dissect.target-3.20.
|
|
373
|
-
dissect.target-3.20.
|
|
374
|
-
dissect.target-3.20.
|
|
368
|
+
dissect.target-3.20.dev15.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
|
|
369
|
+
dissect.target-3.20.dev15.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
|
|
370
|
+
dissect.target-3.20.dev15.dist-info/METADATA,sha256=Z0q9VoAwFjPPZnc3S6F_5bAUKanh-79WT4DZbPQ-0cs,12897
|
|
371
|
+
dissect.target-3.20.dev15.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
|
|
372
|
+
dissect.target-3.20.dev15.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
|
|
373
|
+
dissect.target-3.20.dev15.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
|
|
374
|
+
dissect.target-3.20.dev15.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{dissect.target-3.20.dev13.dist-info → dissect.target-3.20.dev15.dist-info}/entry_points.txt
RENAMED
|
File without changes
|
|
File without changes
|