dissect.target 3.20.dev28__py3-none-any.whl → 3.20.dev29__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dissect/target/helpers/regutil.py +41 -21
- {dissect.target-3.20.dev28.dist-info → dissect.target-3.20.dev29.dist-info}/METADATA +1 -1
- {dissect.target-3.20.dev28.dist-info → dissect.target-3.20.dev29.dist-info}/RECORD +8 -8
- {dissect.target-3.20.dev28.dist-info → dissect.target-3.20.dev29.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.20.dev28.dist-info → dissect.target-3.20.dev29.dist-info}/LICENSE +0 -0
- {dissect.target-3.20.dev28.dist-info → dissect.target-3.20.dev29.dist-info}/WHEEL +0 -0
- {dissect.target-3.20.dev28.dist-info → dissect.target-3.20.dev29.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.20.dev28.dist-info → dissect.target-3.20.dev29.dist-info}/top_level.txt +0 -0
@@ -3,9 +3,10 @@ from __future__ import annotations
|
|
3
3
|
|
4
4
|
import fnmatch
|
5
5
|
import re
|
6
|
-
import struct
|
7
6
|
from collections import defaultdict
|
8
7
|
from datetime import datetime
|
8
|
+
from enum import IntEnum
|
9
|
+
from functools import cached_property
|
9
10
|
from io import BytesIO
|
10
11
|
from pathlib import Path
|
11
12
|
from typing import BinaryIO, Iterator, Optional, TextIO, Union
|
@@ -28,6 +29,19 @@ ValueType = Union[int, str, bytes, list[str]]
|
|
28
29
|
"""The possible value types that can be returned from the registry."""
|
29
30
|
|
30
31
|
|
32
|
+
class RegistryValueType(IntEnum):
|
33
|
+
NONE = regf.REG_NONE
|
34
|
+
SZ = regf.REG_SZ
|
35
|
+
EXPAND_SZ = regf.REG_EXPAND_SZ
|
36
|
+
BINARY = regf.REG_BINARY
|
37
|
+
DWORD = regf.REG_DWORD
|
38
|
+
DWORD_BIG_ENDIAN = regf.REG_DWORD_BIG_ENDIAN
|
39
|
+
MULTI_SZ = regf.REG_MULTI_SZ
|
40
|
+
FULL_RESOURCE_DESCRIPTOR = regf.REG_FULL_RESOURCE_DESCRIPTOR
|
41
|
+
RESOURCE_REQUIREMENTS_LIST = regf.REG_RESOURCE_REQUIREMENTS_LIST
|
42
|
+
QWORD = regf.REG_QWORD
|
43
|
+
|
44
|
+
|
31
45
|
class RegistryHive:
|
32
46
|
"""Base class for registry hives."""
|
33
47
|
|
@@ -405,8 +419,8 @@ class VirtualValue(RegistryValue):
|
|
405
419
|
return self._value
|
406
420
|
|
407
421
|
@property
|
408
|
-
def type(self) ->
|
409
|
-
return
|
422
|
+
def type(self) -> RegistryValueType:
|
423
|
+
return RegistryValueType.NONE
|
410
424
|
|
411
425
|
|
412
426
|
class HiveCollection(RegistryHive):
|
@@ -683,8 +697,8 @@ class RegfValue(RegistryValue):
|
|
683
697
|
return self.kv.value
|
684
698
|
|
685
699
|
@property
|
686
|
-
def type(self) ->
|
687
|
-
return self.kv.type
|
700
|
+
def type(self) -> RegistryValueType:
|
701
|
+
return RegistryValueType(self.kv.type)
|
688
702
|
|
689
703
|
|
690
704
|
class RegFlex:
|
@@ -750,17 +764,22 @@ class RegFlexKey(VirtualKey):
|
|
750
764
|
|
751
765
|
class RegFlexValue(VirtualValue):
|
752
766
|
def __init__(self, hive: RegistryHive, name: str, value: ValueType):
|
753
|
-
self._parsed_value = None
|
754
767
|
super().__init__(hive, name, value)
|
755
768
|
|
769
|
+
@cached_property
|
770
|
+
def _parse(self) -> tuple[RegistryValueType, ValueType]:
|
771
|
+
return parse_flex_value(self._value)
|
772
|
+
|
756
773
|
@property
|
757
774
|
def value(self) -> ValueType:
|
758
|
-
|
759
|
-
|
760
|
-
|
775
|
+
return self._parse[1]
|
776
|
+
|
777
|
+
@property
|
778
|
+
def type(self) -> RegistryValueType:
|
779
|
+
return self._parse[0]
|
761
780
|
|
762
781
|
|
763
|
-
def parse_flex_value(value: str) -> ValueType:
|
782
|
+
def parse_flex_value(value: str) -> tuple[RegistryValueType, ValueType]:
|
764
783
|
"""Parse values from text registry exports.
|
765
784
|
|
766
785
|
Args:
|
@@ -770,31 +789,31 @@ def parse_flex_value(value: str) -> ValueType:
|
|
770
789
|
NotImplementedError: If ``value`` is not of a supported type for parsing.
|
771
790
|
"""
|
772
791
|
if value.startswith('"'):
|
773
|
-
return value.strip('"')
|
792
|
+
return RegistryValueType.SZ, value.strip('"')
|
774
793
|
|
775
794
|
vtype, _, value = value.partition(":")
|
776
795
|
if vtype == "dword":
|
777
|
-
return
|
796
|
+
return RegistryValueType.DWORD, int.from_bytes(bytes.fromhex(value), "big", signed=True)
|
778
797
|
elif "hex" in vtype:
|
779
798
|
value = bytes.fromhex(value.replace(",", ""))
|
780
799
|
if vtype == "hex":
|
781
|
-
return value
|
800
|
+
return RegistryValueType.BINARY, value
|
782
801
|
|
783
802
|
# hex(T)
|
784
803
|
# These values match regf type values
|
785
804
|
vtype = int(vtype[4:5], 16)
|
786
805
|
if vtype == regf.REG_NONE:
|
787
|
-
|
806
|
+
decoded = value if value else None
|
788
807
|
elif vtype == regf.REG_SZ:
|
789
|
-
|
808
|
+
decoded = regf.try_decode_sz(value)
|
790
809
|
elif vtype == regf.REG_EXPAND_SZ:
|
791
|
-
|
810
|
+
decoded = regf.try_decode_sz(value)
|
792
811
|
elif vtype == regf.REG_BINARY:
|
793
|
-
|
812
|
+
decoded = value
|
794
813
|
elif vtype == regf.REG_DWORD:
|
795
|
-
|
814
|
+
decoded = int.from_bytes(value, "little", signed=False)
|
796
815
|
elif vtype == regf.REG_DWORD_BIG_ENDIAN:
|
797
|
-
|
816
|
+
decoded = int.from_bytes(value, "big", signed=False)
|
798
817
|
elif vtype == regf.REG_MULTI_SZ:
|
799
818
|
d = BytesIO(value)
|
800
819
|
|
@@ -806,11 +825,12 @@ def parse_flex_value(value: str) -> ValueType:
|
|
806
825
|
|
807
826
|
r.append(s)
|
808
827
|
|
809
|
-
|
828
|
+
decoded = r
|
810
829
|
elif vtype == regf.REG_QWORD:
|
811
|
-
|
830
|
+
decoded = int.from_bytes(value, "big", signed=False)
|
812
831
|
else:
|
813
832
|
raise NotImplementedError(f"Registry flex value type {vtype}")
|
833
|
+
return RegistryValueType(vtype), decoded
|
814
834
|
|
815
835
|
|
816
836
|
def has_glob_magic(pattern: str) -> bool:
|
@@ -1,6 +1,6 @@
|
|
1
1
|
Metadata-Version: 2.1
|
2
2
|
Name: dissect.target
|
3
|
-
Version: 3.20.
|
3
|
+
Version: 3.20.dev29
|
4
4
|
Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
|
5
5
|
Author-email: Dissect Team <dissect@fox-it.com>
|
6
6
|
License: Affero General Public License v3
|
@@ -62,7 +62,7 @@ dissect/target/helpers/polypath.py,sha256=h8p7m_OCNiQljGwoZh5Aflr9H2ot6CZr6WKq1O
|
|
62
62
|
dissect/target/helpers/protobuf.py,sha256=b4DsnqrRLrefcDjx7rQno-_LBcwtJXxuKf5RdOegzfE,1537
|
63
63
|
dissect/target/helpers/record.py,sha256=7Se6ZV8cvwEaGSjRd9bKhVnUAn4W4KR2eqP6AbQhTH4,5892
|
64
64
|
dissect/target/helpers/record_modifier.py,sha256=O_Jj7zOi891HIyAYjxxe6LFPYETHdMa5lNjo4NA_T_w,3969
|
65
|
-
dissect/target/helpers/regutil.py,sha256=
|
65
|
+
dissect/target/helpers/regutil.py,sha256=ti-ht2N9UxbMjhUBP2bybY76_dAvbCz0txPBszvSKVw,28171
|
66
66
|
dissect/target/helpers/shell_application_ids.py,sha256=hYxrP-YtHK7ZM0ectJFHfoMB8QUXLbYNKmKXMWLZRlA,38132
|
67
67
|
dissect/target/helpers/shell_folder_ids.py,sha256=Behhb8oh0kMxrEk6YYKYigCDZe8Hw5QS6iK_d2hTs2Y,24978
|
68
68
|
dissect/target/helpers/utils.py,sha256=K3xVq9D0FwIhTBAuiWN8ph7Pq2GABgG3hOz-3AmKuEA,4244
|
@@ -369,10 +369,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
|
|
369
369
|
dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
|
370
370
|
dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
|
371
371
|
dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
|
372
|
-
dissect.target-3.20.
|
373
|
-
dissect.target-3.20.
|
374
|
-
dissect.target-3.20.
|
375
|
-
dissect.target-3.20.
|
376
|
-
dissect.target-3.20.
|
377
|
-
dissect.target-3.20.
|
378
|
-
dissect.target-3.20.
|
372
|
+
dissect.target-3.20.dev29.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
|
373
|
+
dissect.target-3.20.dev29.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
|
374
|
+
dissect.target-3.20.dev29.dist-info/METADATA,sha256=5QkftvpVFTGaJunkmrOrcd8izTwayNKC5WbTqXhcMn8,12897
|
375
|
+
dissect.target-3.20.dev29.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
|
376
|
+
dissect.target-3.20.dev29.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
|
377
|
+
dissect.target-3.20.dev29.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
|
378
|
+
dissect.target-3.20.dev29.dist-info/RECORD,,
|
File without changes
|
File without changes
|
File without changes
|
{dissect.target-3.20.dev28.dist-info → dissect.target-3.20.dev29.dist-info}/entry_points.txt
RENAMED
File without changes
|
File without changes
|