dissect.target 3.20.dev28__py3-none-any.whl → 3.20.dev30__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -3,9 +3,10 @@ from __future__ import annotations
3
3
 
4
4
  import fnmatch
5
5
  import re
6
- import struct
7
6
  from collections import defaultdict
8
7
  from datetime import datetime
8
+ from enum import IntEnum
9
+ from functools import cached_property
9
10
  from io import BytesIO
10
11
  from pathlib import Path
11
12
  from typing import BinaryIO, Iterator, Optional, TextIO, Union
@@ -28,6 +29,19 @@ ValueType = Union[int, str, bytes, list[str]]
28
29
  """The possible value types that can be returned from the registry."""
29
30
 
30
31
 
32
+ class RegistryValueType(IntEnum):
33
+ NONE = regf.REG_NONE
34
+ SZ = regf.REG_SZ
35
+ EXPAND_SZ = regf.REG_EXPAND_SZ
36
+ BINARY = regf.REG_BINARY
37
+ DWORD = regf.REG_DWORD
38
+ DWORD_BIG_ENDIAN = regf.REG_DWORD_BIG_ENDIAN
39
+ MULTI_SZ = regf.REG_MULTI_SZ
40
+ FULL_RESOURCE_DESCRIPTOR = regf.REG_FULL_RESOURCE_DESCRIPTOR
41
+ RESOURCE_REQUIREMENTS_LIST = regf.REG_RESOURCE_REQUIREMENTS_LIST
42
+ QWORD = regf.REG_QWORD
43
+
44
+
31
45
  class RegistryHive:
32
46
  """Base class for registry hives."""
33
47
 
@@ -405,8 +419,8 @@ class VirtualValue(RegistryValue):
405
419
  return self._value
406
420
 
407
421
  @property
408
- def type(self) -> int:
409
- return None
422
+ def type(self) -> RegistryValueType:
423
+ return RegistryValueType.NONE
410
424
 
411
425
 
412
426
  class HiveCollection(RegistryHive):
@@ -683,8 +697,8 @@ class RegfValue(RegistryValue):
683
697
  return self.kv.value
684
698
 
685
699
  @property
686
- def type(self) -> int:
687
- return self.kv.type
700
+ def type(self) -> RegistryValueType:
701
+ return RegistryValueType(self.kv.type)
688
702
 
689
703
 
690
704
  class RegFlex:
@@ -750,17 +764,22 @@ class RegFlexKey(VirtualKey):
750
764
 
751
765
  class RegFlexValue(VirtualValue):
752
766
  def __init__(self, hive: RegistryHive, name: str, value: ValueType):
753
- self._parsed_value = None
754
767
  super().__init__(hive, name, value)
755
768
 
769
+ @cached_property
770
+ def _parse(self) -> tuple[RegistryValueType, ValueType]:
771
+ return parse_flex_value(self._value)
772
+
756
773
  @property
757
774
  def value(self) -> ValueType:
758
- if not self._parsed_value:
759
- self._parsed_value = parse_flex_value(self._value)
760
- return self._parsed_value
775
+ return self._parse[1]
776
+
777
+ @property
778
+ def type(self) -> RegistryValueType:
779
+ return self._parse[0]
761
780
 
762
781
 
763
- def parse_flex_value(value: str) -> ValueType:
782
+ def parse_flex_value(value: str) -> tuple[RegistryValueType, ValueType]:
764
783
  """Parse values from text registry exports.
765
784
 
766
785
  Args:
@@ -770,31 +789,31 @@ def parse_flex_value(value: str) -> ValueType:
770
789
  NotImplementedError: If ``value`` is not of a supported type for parsing.
771
790
  """
772
791
  if value.startswith('"'):
773
- return value.strip('"')
792
+ return RegistryValueType.SZ, value.strip('"')
774
793
 
775
794
  vtype, _, value = value.partition(":")
776
795
  if vtype == "dword":
777
- return struct.unpack(">i", bytes.fromhex(value))[0]
796
+ return RegistryValueType.DWORD, int.from_bytes(bytes.fromhex(value), "big", signed=True)
778
797
  elif "hex" in vtype:
779
798
  value = bytes.fromhex(value.replace(",", ""))
780
799
  if vtype == "hex":
781
- return value
800
+ return RegistryValueType.BINARY, value
782
801
 
783
802
  # hex(T)
784
803
  # These values match regf type values
785
804
  vtype = int(vtype[4:5], 16)
786
805
  if vtype == regf.REG_NONE:
787
- return value if value else None
806
+ decoded = value if value else None
788
807
  elif vtype == regf.REG_SZ:
789
- return regf.try_decode_sz(value)
808
+ decoded = regf.try_decode_sz(value)
790
809
  elif vtype == regf.REG_EXPAND_SZ:
791
- return regf.try_decode_sz(value)
810
+ decoded = regf.try_decode_sz(value)
792
811
  elif vtype == regf.REG_BINARY:
793
- return value
812
+ decoded = value
794
813
  elif vtype == regf.REG_DWORD:
795
- return struct.unpack("<I", value)[0]
814
+ decoded = int.from_bytes(value, "little", signed=False)
796
815
  elif vtype == regf.REG_DWORD_BIG_ENDIAN:
797
- return struct.unpack(">I", value)[0]
816
+ decoded = int.from_bytes(value, "big", signed=False)
798
817
  elif vtype == regf.REG_MULTI_SZ:
799
818
  d = BytesIO(value)
800
819
 
@@ -806,11 +825,12 @@ def parse_flex_value(value: str) -> ValueType:
806
825
 
807
826
  r.append(s)
808
827
 
809
- return r
828
+ decoded = r
810
829
  elif vtype == regf.REG_QWORD:
811
- return struct.unpack(">Q", value)[0]
830
+ decoded = int.from_bytes(value, "big", signed=False)
812
831
  else:
813
832
  raise NotImplementedError(f"Registry flex value type {vtype}")
833
+ return RegistryValueType(vtype), decoded
814
834
 
815
835
 
816
836
  def has_glob_magic(pattern: str) -> bool:
@@ -1431,7 +1431,7 @@ def target_shell(targets: list[Target], cli_cls: type[TargetCmd], commands: list
1431
1431
  run_cli(cli)
1432
1432
 
1433
1433
 
1434
- def python_shell(targets: list[Target], commands: list[str] | None) -> None:
1434
+ def python_shell(targets: list[Target], commands: list[str] | None = None) -> None:
1435
1435
  """Helper method for starting a (I)Python shell with multiple targets."""
1436
1436
  banner = "Loaded targets in 'targets' variable. First target is in 't'."
1437
1437
  ns = {"targets": targets, "t": targets[0]}
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: dissect.target
3
- Version: 3.20.dev28
3
+ Version: 3.20.dev30
4
4
  Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
5
5
  Author-email: Dissect Team <dissect@fox-it.com>
6
6
  License: Affero General Public License v3
@@ -62,7 +62,7 @@ dissect/target/helpers/polypath.py,sha256=h8p7m_OCNiQljGwoZh5Aflr9H2ot6CZr6WKq1O
62
62
  dissect/target/helpers/protobuf.py,sha256=b4DsnqrRLrefcDjx7rQno-_LBcwtJXxuKf5RdOegzfE,1537
63
63
  dissect/target/helpers/record.py,sha256=7Se6ZV8cvwEaGSjRd9bKhVnUAn4W4KR2eqP6AbQhTH4,5892
64
64
  dissect/target/helpers/record_modifier.py,sha256=O_Jj7zOi891HIyAYjxxe6LFPYETHdMa5lNjo4NA_T_w,3969
65
- dissect/target/helpers/regutil.py,sha256=kX-sSZbW8Qkg29Dn_9zYbaQrwLumrr4Y8zJ1EhHXIAM,27337
65
+ dissect/target/helpers/regutil.py,sha256=ti-ht2N9UxbMjhUBP2bybY76_dAvbCz0txPBszvSKVw,28171
66
66
  dissect/target/helpers/shell_application_ids.py,sha256=hYxrP-YtHK7ZM0ectJFHfoMB8QUXLbYNKmKXMWLZRlA,38132
67
67
  dissect/target/helpers/shell_folder_ids.py,sha256=Behhb8oh0kMxrEk6YYKYigCDZe8Hw5QS6iK_d2hTs2Y,24978
68
68
  dissect/target/helpers/utils.py,sha256=K3xVq9D0FwIhTBAuiWN8ph7Pq2GABgG3hOz-3AmKuEA,4244
@@ -354,7 +354,7 @@ dissect/target/tools/logging.py,sha256=5ZnumtMWLyslxfrUGZ4ntRyf3obOOhmn8SBjKfdLc
354
354
  dissect/target/tools/mount.py,sha256=8GRYnu4xEmFBHxuIZAYhOMyyTGX8fat1Ou07DNiUnW4,3945
355
355
  dissect/target/tools/query.py,sha256=e-yAN9zdQjuOiTuoOQoo17mVEQGGcOgaA9YkF4GYpkM,15394
356
356
  dissect/target/tools/reg.py,sha256=FDsiBBDxjWVUBTRj8xn82vZe-J_d9piM-TKS3PHZCcM,3193
357
- dissect/target/tools/shell.py,sha256=EBGuQS2PDfDgLPghgAjK1G7zoAjm2Gu6eZ9yz0qsuk4,54198
357
+ dissect/target/tools/shell.py,sha256=PUKlzJYG-xmbklpNm9Sm8YRMITQYrPzScnRs2Ut3GCA,54205
358
358
  dissect/target/tools/utils.py,sha256=JJZDSso1CEK2sv4Z3HJNgqxH6G9S5lbmV-C3h-XmcMo,12035
359
359
  dissect/target/tools/yara.py,sha256=70k-2VMulf1EdkX03nCACzejaOEcsFHOyX-4E40MdQU,2044
360
360
  dissect/target/tools/dump/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -369,10 +369,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
369
369
  dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
370
370
  dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
371
371
  dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
372
- dissect.target-3.20.dev28.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
373
- dissect.target-3.20.dev28.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
374
- dissect.target-3.20.dev28.dist-info/METADATA,sha256=KaInzlw-bjxrdEkeFM3pb6BDAM8IBEP6atLJ3wjH_d4,12897
375
- dissect.target-3.20.dev28.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
376
- dissect.target-3.20.dev28.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
377
- dissect.target-3.20.dev28.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
378
- dissect.target-3.20.dev28.dist-info/RECORD,,
372
+ dissect.target-3.20.dev30.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
373
+ dissect.target-3.20.dev30.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
374
+ dissect.target-3.20.dev30.dist-info/METADATA,sha256=MmnIwD9iA43ivjxZv0F1VRMWpjOTNIv0NNnRqyq85C4,12897
375
+ dissect.target-3.20.dev30.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
376
+ dissect.target-3.20.dev30.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
377
+ dissect.target-3.20.dev30.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
378
+ dissect.target-3.20.dev30.dist-info/RECORD,,