dissect.target 3.20.dev36__py3-none-any.whl → 3.20.dev39__py3-none-any.whl
Sign up to get free protection for your applications and to get access to all the features.
- dissect/target/filesystems/config.py +1 -1
- dissect/target/helpers/compat/path_common.py +5 -5
- dissect/target/helpers/configutil.py +31 -29
- dissect/target/helpers/cyber.py +2 -0
- dissect/target/helpers/docs.py +1 -1
- dissect/target/helpers/keychain.py +2 -0
- dissect/target/helpers/mount.py +2 -1
- dissect/target/plugin.py +15 -13
- dissect/target/plugins/apps/av/mcafee.py +2 -0
- dissect/target/plugins/apps/av/sophos.py +2 -0
- dissect/target/plugins/apps/av/trendmicro.py +2 -0
- dissect/target/plugins/apps/browser/chromium.py +27 -6
- dissect/target/plugins/apps/editor/editor.py +23 -0
- dissect/target/plugins/apps/{texteditor → editor}/windowsnotepad.py +40 -31
- dissect/target/plugins/apps/shell/powershell.py +6 -2
- dissect/target/plugins/apps/shell/wget.py +1 -1
- dissect/target/plugins/apps/ssh/openssh.py +2 -0
- dissect/target/plugins/apps/ssh/opensshd.py +2 -0
- dissect/target/plugins/apps/vpn/wireguard.py +9 -9
- dissect/target/plugins/apps/webhosting/cpanel.py +2 -0
- dissect/target/plugins/apps/webserver/caddy.py +2 -0
- dissect/target/plugins/apps/webserver/nginx.py +2 -0
- dissect/target/plugins/child/esxi.py +3 -1
- dissect/target/plugins/child/virtuozzo.py +12 -8
- dissect/target/plugins/filesystem/acquire_hash.py +2 -1
- dissect/target/plugins/filesystem/icat.py +15 -11
- dissect/target/plugins/filesystem/ntfs/mft.py +2 -0
- dissect/target/plugins/filesystem/ntfs/mft_timeline.py +3 -1
- dissect/target/plugins/filesystem/ntfs/usnjrnl.py +2 -0
- dissect/target/plugins/filesystem/ntfs/utils.py +3 -1
- dissect/target/plugins/filesystem/unix/suid.py +4 -1
- dissect/target/plugins/filesystem/walkfs.py +2 -0
- dissect/target/plugins/general/example.py +2 -2
- dissect/target/plugins/general/loaders.py +1 -1
- dissect/target/plugins/general/network.py +7 -0
- dissect/target/plugins/general/osinfo.py +1 -0
- dissect/target/plugins/general/plugins.py +4 -0
- dissect/target/plugins/os/unix/_os.py +2 -1
- dissect/target/plugins/os/unix/bsd/citrix/history.py +2 -0
- dissect/target/plugins/os/unix/bsd/osx/network.py +2 -0
- dissect/target/plugins/os/unix/bsd/osx/user.py +4 -0
- dissect/target/plugins/os/unix/cronjobs.py +8 -4
- dissect/target/plugins/os/unix/etc/etc.py +4 -0
- dissect/target/plugins/os/unix/generic.py +2 -0
- dissect/target/plugins/os/unix/history.py +27 -25
- dissect/target/plugins/os/unix/linux/cmdline.py +2 -0
- dissect/target/plugins/os/unix/linux/debian/apt.py +4 -1
- dissect/target/plugins/os/unix/linux/debian/dpkg.py +3 -3
- dissect/target/plugins/os/unix/linux/environ.py +2 -0
- dissect/target/plugins/os/unix/linux/fortios/generic.py +2 -0
- dissect/target/plugins/os/unix/linux/fortios/locale.py +2 -0
- dissect/target/plugins/os/unix/linux/modules.py +2 -0
- dissect/target/plugins/os/unix/linux/netstat.py +2 -0
- dissect/target/plugins/os/unix/linux/processes.py +2 -0
- dissect/target/plugins/os/unix/linux/redhat/yum.py +4 -1
- dissect/target/plugins/os/unix/linux/services.py +5 -3
- dissect/target/plugins/os/unix/linux/sockets.py +2 -0
- dissect/target/plugins/os/unix/linux/suse/zypper.py +4 -1
- dissect/target/plugins/os/unix/locale.py +2 -0
- dissect/target/plugins/os/unix/locate/gnulocate.py +4 -2
- dissect/target/plugins/os/unix/locate/mlocate.py +2 -0
- dissect/target/plugins/os/unix/locate/plocate.py +3 -1
- dissect/target/plugins/os/unix/log/atop.py +2 -0
- dissect/target/plugins/os/unix/log/audit.py +3 -1
- dissect/target/plugins/os/unix/log/auth.py +4 -2
- dissect/target/plugins/os/unix/log/lastlog.py +5 -3
- dissect/target/plugins/os/unix/log/messages.py +2 -0
- dissect/target/plugins/os/unix/log/utmp.py +4 -2
- dissect/target/plugins/os/unix/packagemanager.py +4 -37
- dissect/target/plugins/os/unix/shadow.py +3 -1
- dissect/target/plugins/os/unix/trash.py +1 -1
- dissect/target/plugins/os/windows/activitiescache.py +9 -4
- dissect/target/plugins/os/windows/adpolicy.py +2 -1
- dissect/target/plugins/os/windows/amcache.py +16 -13
- dissect/target/plugins/os/windows/defender.py +3 -3
- dissect/target/plugins/os/windows/dpapi/keyprovider/credhist.py +3 -0
- dissect/target/plugins/os/windows/dpapi/keyprovider/empty.py +3 -0
- dissect/target/plugins/os/windows/dpapi/keyprovider/keychain.py +3 -0
- dissect/target/plugins/os/windows/dpapi/keyprovider/lsa.py +3 -0
- dissect/target/plugins/os/windows/env.py +1 -2
- dissect/target/plugins/os/windows/exchange/exchange.py +6 -4
- dissect/target/plugins/os/windows/generic.py +20 -18
- dissect/target/plugins/os/windows/lnk.py +2 -0
- dissect/target/plugins/os/windows/locale.py +9 -3
- dissect/target/plugins/os/windows/log/etl.py +5 -4
- dissect/target/plugins/os/windows/log/evt.py +12 -8
- dissect/target/plugins/os/windows/log/evtx.py +9 -7
- dissect/target/plugins/os/windows/log/pfro.py +2 -1
- dissect/target/plugins/os/windows/network.py +2 -0
- dissect/target/plugins/os/windows/notifications.py +6 -4
- dissect/target/plugins/os/windows/prefetch.py +7 -2
- dissect/target/plugins/os/windows/regf/7zip.py +9 -1
- dissect/target/plugins/os/windows/regf/auditpol.py +2 -1
- dissect/target/plugins/os/windows/regf/bam.py +3 -1
- dissect/target/plugins/os/windows/regf/cit.py +14 -12
- dissect/target/plugins/os/windows/regf/clsid.py +6 -3
- dissect/target/plugins/os/windows/regf/firewall.py +2 -1
- dissect/target/plugins/os/windows/regf/mru.py +9 -8
- dissect/target/plugins/os/windows/regf/nethist.py +6 -3
- dissect/target/plugins/os/windows/regf/recentfilecache.py +3 -1
- dissect/target/plugins/os/windows/regf/regf.py +5 -1
- dissect/target/plugins/os/windows/regf/shimcache.py +1 -1
- dissect/target/plugins/os/windows/regf/usb.py +2 -1
- dissect/target/plugins/os/windows/regf/userassist.py +2 -1
- dissect/target/plugins/os/windows/registry.py +11 -0
- dissect/target/plugins/os/windows/services.py +3 -2
- dissect/target/plugins/os/windows/startupinfo.py +7 -2
- dissect/target/plugins/os/windows/syscache.py +3 -1
- dissect/target/plugins/os/windows/tasks.py +1 -1
- dissect/target/plugins/os/windows/thumbcache.py +11 -5
- dissect/target/plugins/os/windows/ual.py +12 -9
- dissect/target/plugins/os/windows/wua_history.py +0 -1
- dissect/target/tools/dump/utils.py +4 -0
- dissect/target/tools/shell.py +2 -1
- {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/METADATA +1 -1
- {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/RECORD +122 -123
- dissect/target/plugins/apps/texteditor/texteditor.py +0 -13
- dissect/target/plugins/os/unix/etc.py +0 -9
- /dissect/target/plugins/apps/{texteditor → editor}/__init__.py +0 -0
- {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/LICENSE +0 -0
- {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/WHEEL +0 -0
- {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/top_level.txt +0 -0
@@ -133,7 +133,7 @@ class ConfigurationEntry(FilesystemEntry):
|
|
133
133
|
Behaves like a ``directory`` when :attr:`parser_items` is a :class:`.ConfigurationParser` or a ``dict``.
|
134
134
|
Behaves like a ``file`` otherwise.
|
135
135
|
|
136
|
-
|
136
|
+
Args:
|
137
137
|
parser_items: A dict-like object containing all configuration entries and values.
|
138
138
|
In most cases this is either a :class:`.ConfigurationParser` or ``dict``.
|
139
139
|
Otherwise, its the entry's value
|
@@ -56,11 +56,11 @@ class _DissectScandirIterator:
|
|
56
56
|
|
57
57
|
The _DissectScandirIterator provides a context manager, so scandir can be called as:
|
58
58
|
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
59
|
+
.. code-block:: python
|
60
|
+
|
61
|
+
with scandir(path) as it:
|
62
|
+
for entry in it
|
63
|
+
print(entry.name)
|
64
64
|
|
65
65
|
similar to os.scandir() behaviour since Python 3.6.
|
66
66
|
"""
|
@@ -69,9 +69,7 @@ def _update_dictionary(current: dict[str, Any], key: str, value: Any) -> None:
|
|
69
69
|
|
70
70
|
|
71
71
|
class PeekableIterator:
|
72
|
-
|
73
|
-
https://more-itertools.readthedocs.io/en/stable/_modules/more_itertools/more.html#peekable
|
74
|
-
"""
|
72
|
+
# https://more-itertools.readthedocs.io/en/stable/_modules/more_itertools/more.html#peekable
|
75
73
|
|
76
74
|
def __init__(self, iterable):
|
77
75
|
self._iterator = iter(iterable)
|
@@ -98,9 +96,6 @@ class PeekableIterator:
|
|
98
96
|
class ConfigurationParser:
|
99
97
|
"""A configuration parser where you can configure certain aspects of the parsing mechanism.
|
100
98
|
|
101
|
-
Attributes:
|
102
|
-
parsed_data: The resulting dictionary after parsing.
|
103
|
-
|
104
99
|
Args:
|
105
100
|
collapse: A ``bool`` or an ``Iterator``:
|
106
101
|
If ``True``: it will collapse all the resulting dictionary values.
|
@@ -195,6 +190,8 @@ class Default(ConfigurationParser):
|
|
195
190
|
|
196
191
|
This parser splits only on the first ``separator`` it finds:
|
197
192
|
|
193
|
+
.. code-block::
|
194
|
+
|
198
195
|
key<separator>value -> {"key": "value"}
|
199
196
|
|
200
197
|
key<separator>value\n
|
@@ -316,7 +313,7 @@ class Bin(ConfigurationParser):
|
|
316
313
|
|
317
314
|
|
318
315
|
class Xml(ConfigurationParser):
|
319
|
-
"""Parses an XML file. Ignores any constructor parameters passed from ``ConfigurationParser
|
316
|
+
"""Parses an XML file. Ignores any constructor parameters passed from ``ConfigurationParser``."""
|
320
317
|
|
321
318
|
def _tree(self, tree: ElementTree, root: bool = False) -> dict:
|
322
319
|
"""Very simple but robust xml -> dict implementation, see comments."""
|
@@ -395,8 +392,9 @@ class ListUnwrapper:
|
|
395
392
|
def unwrap(data: Union[dict, list]) -> Union[dict, list]:
|
396
393
|
"""Transforms a list with dictionaries to a dictionary.
|
397
394
|
|
398
|
-
The order of the list is preserved. If no dictionary is found,
|
399
|
-
|
395
|
+
The order of the list is preserved. If no dictionary is found, the list remains untouched:
|
396
|
+
|
397
|
+
.. code-block::
|
400
398
|
|
401
399
|
["value1", "value2"] -> ["value1", "value2"]
|
402
400
|
|
@@ -622,6 +620,8 @@ class Indentation(Default):
|
|
622
620
|
|
623
621
|
The parser parses this as the following:
|
624
622
|
|
623
|
+
.. code-block::
|
624
|
+
|
625
625
|
key value
|
626
626
|
key2 value2
|
627
627
|
-> {"key value": {"key2": "value2"}}
|
@@ -644,7 +644,7 @@ class Indentation(Default):
|
|
644
644
|
Args:
|
645
645
|
manager: A :class:`ScopeManager` that contains the logic to ``push`` and ``pop`` scopes. And keeps state.
|
646
646
|
line: The line to be parsed.
|
647
|
-
key: The key that should be updated during a :method:`ScopeManager.push
|
647
|
+
key: The key that should be updated during a :method:`ScopeManager.push`.
|
648
648
|
next_line: The next line to be parsed.
|
649
649
|
|
650
650
|
Returns:
|
@@ -694,26 +694,28 @@ class SystemD(Indentation):
|
|
694
694
|
"""A :class:`ConfigurationParser` that specifically parses systemd configuration files.
|
695
695
|
|
696
696
|
Examples:
|
697
|
-
>>> systemd_data = textwrap.dedent(
|
698
|
-
'''
|
699
|
-
[Section1]
|
700
|
-
Key=Value
|
701
|
-
[Section2]
|
702
|
-
Key2=Value 2\\
|
703
|
-
Value 2 continued
|
704
|
-
'''
|
705
|
-
)
|
706
|
-
>>> parser = SystemD(io.StringIO(systemd_data))
|
707
|
-
>>> parser.parser_items
|
708
|
-
{
|
709
|
-
"Section1": {
|
710
|
-
"Key": "Value
|
711
|
-
},
|
712
|
-
"Section2": {
|
713
|
-
"Key2": "Value2 Value 2 continued
|
714
|
-
}
|
715
|
-
}
|
716
697
|
|
698
|
+
.. code-block::
|
699
|
+
|
700
|
+
>>> systemd_data = textwrap.dedent(
|
701
|
+
'''
|
702
|
+
[Section1]
|
703
|
+
Key=Value
|
704
|
+
[Section2]
|
705
|
+
Key2=Value 2\\
|
706
|
+
Value 2 continued
|
707
|
+
'''
|
708
|
+
)
|
709
|
+
>>> parser = SystemD(io.StringIO(systemd_data))
|
710
|
+
>>> parser.parser_items
|
711
|
+
{
|
712
|
+
"Section1": {
|
713
|
+
"Key": "Value
|
714
|
+
},
|
715
|
+
"Section2": {
|
716
|
+
"Key2": "Value2 Value 2 continued
|
717
|
+
}
|
718
|
+
}
|
717
719
|
"""
|
718
720
|
|
719
721
|
def _change_scope(
|
dissect/target/helpers/cyber.py
CHANGED
dissect/target/helpers/docs.py
CHANGED
@@ -46,7 +46,7 @@ def get_real_func_obj(func: Callable) -> Tuple[Type, Callable]:
|
|
46
46
|
return (klass, func)
|
47
47
|
|
48
48
|
|
49
|
-
def get_docstring(obj: Any, placeholder=NO_DOCS) -> str:
|
49
|
+
def get_docstring(obj: Any, placeholder: str = NO_DOCS) -> str:
|
50
50
|
"""Get object's docstring or a placeholder if no docstring found"""
|
51
51
|
# Use of `inspect.cleandoc()` is preferred to `textwrap.dedent()` here
|
52
52
|
# because many multi-line docstrings in the codebase
|
dissect/target/helpers/mount.py
CHANGED
@@ -8,7 +8,6 @@ from dissect.util.feature import Feature, feature_enabled
|
|
8
8
|
|
9
9
|
from dissect.target.filesystem import Filesystem, FilesystemEntry
|
10
10
|
|
11
|
-
HAS_FUSE3 = False
|
12
11
|
if feature_enabled(Feature.BETA):
|
13
12
|
from fuse3 import FuseOSError, Operations
|
14
13
|
from fuse3.c_fuse import fuse_config_p, fuse_conn_info_p
|
@@ -20,6 +19,8 @@ else:
|
|
20
19
|
fuse_config_p = c_void_p
|
21
20
|
fuse_conn_info_p = c_void_p
|
22
21
|
|
22
|
+
HAS_FUSE3 = False
|
23
|
+
|
23
24
|
|
24
25
|
log = logging.getLogger(__name__)
|
25
26
|
|
dissect/target/plugin.py
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
"""Dissect plugin system.
|
2
2
|
|
3
|
-
See dissect/target/plugins/general/example.py for an example plugin.
|
3
|
+
See ``dissect/target/plugins/general/example.py`` for an example plugin.
|
4
4
|
"""
|
5
5
|
|
6
6
|
from __future__ import annotations
|
@@ -76,18 +76,19 @@ def export(*args, **kwargs) -> Callable:
|
|
76
76
|
Supported keyword arguments:
|
77
77
|
property (bool): Whether this export should be regarded as a property.
|
78
78
|
Properties are implicitly cached.
|
79
|
+
|
79
80
|
cache (bool): Whether the result of this function should be cached.
|
81
|
+
|
80
82
|
record (RecordDescriptor): The :class:`flow.record.RecordDescriptor` for the records that this function yields.
|
81
83
|
If the records are dynamically made, use DynamicRecord instead.
|
82
|
-
output (str): The output type of this function. Can be one of:
|
83
84
|
|
85
|
+
output (str): The output type of this function. Must be one of:
|
84
86
|
- default: Single return value
|
85
87
|
- record: Yields records. Implicit when record argument is given.
|
86
88
|
- yield: Yields printable values.
|
87
89
|
- none: No return value. Plugin is responsible for output formatting and should return ``None``.
|
88
90
|
|
89
91
|
The ``export`` decorator adds some additional private attributes to an exported method or property:
|
90
|
-
|
91
92
|
- ``__output__``: The output type to expect for this function, this is the same as ``output``.
|
92
93
|
- ``__record__``: The type of record to expect, this value is the same as ``record``.
|
93
94
|
- ``__exported__``: set to ``True`` to indicate the method or property is exported.
|
@@ -173,7 +174,7 @@ class Plugin:
|
|
173
174
|
class attribute. Namespacing results in your plugin needing to be prefixed
|
174
175
|
with this namespace when being called. For example, if your plugin has
|
175
176
|
specified ``test`` as namespace and a function called ``example``, you must
|
176
|
-
call your plugin with ``test.example
|
177
|
+
call your plugin with ``test.example``.
|
177
178
|
|
178
179
|
A ``Plugin`` class has the following private class attributes:
|
179
180
|
|
@@ -430,15 +431,13 @@ def register(plugincls: Type[Plugin]) -> None:
|
|
430
431
|
"""Register a plugin, and put related data inside :attr:`PLUGINS`.
|
431
432
|
|
432
433
|
This function uses the following private attributes that are set using decorators:
|
433
|
-
|
434
|
-
|
435
|
-
- ``__internal__``: Set in :func:`internal`.
|
434
|
+
- ``__exported__``: Set in :func:`export`.
|
435
|
+
- ``__internal__``: Set in :func:`internal`.
|
436
436
|
|
437
437
|
Additionally, ``register`` sets the following private attributes on the `plugincls`:
|
438
|
-
|
439
|
-
|
440
|
-
|
441
|
-
- ``__exports__``: A list of all the methods or properties that were explicitly exported.
|
438
|
+
- ``__plugin__``: Always set to ``True``.
|
439
|
+
- ``__functions__``: A list of all the methods and properties that are ``__internal__`` or ``__exported__``.
|
440
|
+
- ``__exports__``: A list of all the methods or properties that were explicitly exported.
|
442
441
|
|
443
442
|
Args:
|
444
443
|
plugincls: A plugin class to register.
|
@@ -1138,6 +1137,9 @@ class PluginFunction:
|
|
1138
1137
|
method_name: str
|
1139
1138
|
plugin_desc: PluginDescriptor = field(hash=False)
|
1140
1139
|
|
1140
|
+
def __repr__(self) -> str:
|
1141
|
+
return self.path
|
1142
|
+
|
1141
1143
|
|
1142
1144
|
def plugin_function_index(target: Optional[Target]) -> tuple[dict[str, PluginDescriptor], set[str]]:
|
1143
1145
|
"""Returns an index-list for plugins.
|
@@ -1292,7 +1294,7 @@ def find_plugin_functions(
|
|
1292
1294
|
path=index_name,
|
1293
1295
|
class_object=loaded_plugin_object,
|
1294
1296
|
method_name=method_name,
|
1295
|
-
output_type=getattr(fobject, "__output__", "
|
1297
|
+
output_type=getattr(fobject, "__output__", "none"),
|
1296
1298
|
plugin_desc=func,
|
1297
1299
|
)
|
1298
1300
|
)
|
@@ -1337,7 +1339,7 @@ def find_plugin_functions(
|
|
1337
1339
|
path=f"{description['module']}.{funcname}",
|
1338
1340
|
class_object=loaded_plugin_object,
|
1339
1341
|
method_name=funcname,
|
1340
|
-
output_type=getattr(fobject, "__output__", "
|
1342
|
+
output_type=getattr(fobject, "__output__", "none"),
|
1341
1343
|
plugin_desc=description,
|
1342
1344
|
)
|
1343
1345
|
)
|
@@ -608,6 +608,15 @@ def remove_padding(decrypted: bytes) -> bytes:
|
|
608
608
|
|
609
609
|
|
610
610
|
def decrypt_v10(encrypted_password: bytes) -> str:
|
611
|
+
"""Decrypt a version 10 encrypted password.
|
612
|
+
|
613
|
+
Args:
|
614
|
+
encrypted_password: The encrypted password bytes.
|
615
|
+
|
616
|
+
Returns:
|
617
|
+
Decrypted password string.
|
618
|
+
"""
|
619
|
+
|
611
620
|
if not HAS_CRYPTO:
|
612
621
|
raise ValueError("Missing pycryptodome dependency for AES operation")
|
613
622
|
|
@@ -625,12 +634,24 @@ def decrypt_v10(encrypted_password: bytes) -> str:
|
|
625
634
|
|
626
635
|
|
627
636
|
def decrypt_v10_2(encrypted_password: bytes, key: bytes) -> str:
|
628
|
-
"""
|
629
|
-
|
630
|
-
|
631
|
-
|
632
|
-
|
633
|
-
|
637
|
+
"""Decrypt a version 10 type 2 password.
|
638
|
+
|
639
|
+
References:
|
640
|
+
|
641
|
+
.. code-block::
|
642
|
+
|
643
|
+
struct chrome_pass {
|
644
|
+
byte signature[3] = 'v10';
|
645
|
+
byte iv[12];
|
646
|
+
byte ciphertext[EOF];
|
647
|
+
}
|
648
|
+
|
649
|
+
Args:
|
650
|
+
encrypted_password: The encrypted password bytes.
|
651
|
+
key: The encryption key.
|
652
|
+
|
653
|
+
Returns:
|
654
|
+
Decrypted password string.
|
634
655
|
"""
|
635
656
|
|
636
657
|
if not HAS_CRYPTO:
|
@@ -0,0 +1,23 @@
|
|
1
|
+
from dissect.target.plugin import NamespacePlugin, export
|
2
|
+
|
3
|
+
COMMON_EDITOR_FIELDS = [
|
4
|
+
("datetime", "ts"),
|
5
|
+
("string", "editor"),
|
6
|
+
("path", "source"),
|
7
|
+
]
|
8
|
+
|
9
|
+
|
10
|
+
class EditorPlugin(NamespacePlugin):
|
11
|
+
"""Editor plugin."""
|
12
|
+
|
13
|
+
__namespace__ = "editor"
|
14
|
+
|
15
|
+
@export
|
16
|
+
def extensions(self) -> None:
|
17
|
+
"""Yields installed extensions."""
|
18
|
+
raise NotImplementedError
|
19
|
+
|
20
|
+
@export
|
21
|
+
def history(self) -> None:
|
22
|
+
"""Yields history of files."""
|
23
|
+
raise NotImplementedError
|
@@ -16,11 +16,8 @@ from dissect.target.helpers.record import (
|
|
16
16
|
WindowsUserRecord,
|
17
17
|
create_extended_descriptor,
|
18
18
|
)
|
19
|
-
from dissect.target.plugin import export
|
20
|
-
from dissect.target.plugins.apps.
|
21
|
-
GENERIC_TAB_CONTENTS_RECORD_FIELDS,
|
22
|
-
TexteditorPlugin,
|
23
|
-
)
|
19
|
+
from dissect.target.plugin import alias, export
|
20
|
+
from dissect.target.plugins.apps.editor.editor import COMMON_EDITOR_FIELDS, EditorPlugin
|
24
21
|
from dissect.target.target import Target
|
25
22
|
|
26
23
|
# Thanks to @Nordgaren, @daddycocoaman, @JustArion and @ogmini for their suggestions and feedback in the PR
|
@@ -94,16 +91,25 @@ struct options_v2 {
|
|
94
91
|
};
|
95
92
|
"""
|
96
93
|
|
97
|
-
|
94
|
+
GENERIC_TAB_CONTENTS_RECORD_FIELDS = [
|
95
|
+
("string", "content"),
|
96
|
+
("path", "path"),
|
97
|
+
("string", "deleted_content"),
|
98
|
+
]
|
98
99
|
|
99
100
|
WindowsNotepadUnsavedTabRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
|
100
|
-
"
|
101
|
-
GENERIC_TAB_CONTENTS_RECORD_FIELDS,
|
101
|
+
"application/editor/windowsnotepad/tab/unsaved",
|
102
|
+
COMMON_EDITOR_FIELDS + GENERIC_TAB_CONTENTS_RECORD_FIELDS,
|
102
103
|
)
|
103
104
|
|
104
105
|
WindowsNotepadSavedTabRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
|
105
|
-
"
|
106
|
-
|
106
|
+
"application/editor/windowsnotepad/tab/saved",
|
107
|
+
COMMON_EDITOR_FIELDS
|
108
|
+
+ GENERIC_TAB_CONTENTS_RECORD_FIELDS
|
109
|
+
+ [
|
110
|
+
("digest", "digest"),
|
111
|
+
("path", "saved_path"),
|
112
|
+
],
|
107
113
|
)
|
108
114
|
|
109
115
|
c_windowstab = cstruct().load(windowstab_def)
|
@@ -264,7 +270,7 @@ class WindowsNotepadTab:
|
|
264
270
|
self.deleted_content = deleted_content if deleted_content else None
|
265
271
|
|
266
272
|
|
267
|
-
class WindowsNotepadPlugin(
|
273
|
+
class WindowsNotepadPlugin(EditorPlugin):
|
268
274
|
"""Windows notepad tab content plugin."""
|
269
275
|
|
270
276
|
__namespace__ = "windowsnotepad"
|
@@ -273,28 +279,27 @@ class WindowsNotepadPlugin(TexteditorPlugin):
|
|
273
279
|
|
274
280
|
def __init__(self, target: Target):
|
275
281
|
super().__init__(target)
|
276
|
-
self.users_tabs:
|
282
|
+
self.users_tabs: set[TargetPath, UnixUserRecord | WindowsUserRecord] = set()
|
277
283
|
for user_details in self.target.user_details.all_with_home():
|
278
284
|
for tab_file in user_details.home_path.glob(self.GLOB):
|
279
|
-
# These files
|
280
|
-
# and are skipped for now
|
285
|
+
# These files contain information on different settings / configurations, and are skipped for now.
|
281
286
|
if tab_file.name.endswith(".1.bin") or tab_file.name.endswith(".0.bin"):
|
282
287
|
continue
|
283
288
|
|
284
|
-
self.users_tabs.
|
289
|
+
self.users_tabs.add((tab_file, user_details.user))
|
285
290
|
|
286
291
|
def check_compatible(self) -> None:
|
287
292
|
if not self.users_tabs:
|
288
293
|
raise UnsupportedPluginError("No Windows Notepad tab files found")
|
289
294
|
|
295
|
+
@alias("tabs")
|
290
296
|
@export(record=[WindowsNotepadSavedTabRecord, WindowsNotepadUnsavedTabRecord])
|
291
|
-
def
|
297
|
+
def history(self) -> Iterator[WindowsNotepadSavedTabRecord | WindowsNotepadUnsavedTabRecord]:
|
292
298
|
"""Return contents from Windows 11 Notepad tabs - and its deleted content if available.
|
293
299
|
|
294
300
|
Windows Notepad application for Windows 11 is now able to restore both saved and unsaved tabs when you re-open
|
295
301
|
the application.
|
296
302
|
|
297
|
-
|
298
303
|
Resources:
|
299
304
|
- https://github.com/fox-it/dissect.target/pull/540
|
300
305
|
- https://github.com/JustArion/Notepad-Tabs
|
@@ -304,37 +309,41 @@ class WindowsNotepadPlugin(TexteditorPlugin):
|
|
304
309
|
- https://github.com/Nordgaren/tabstate-util/issues/1
|
305
310
|
- https://medium.com/@mahmoudsoheem/new-digital-forensics-artifact-from-windows-notepad-527645906b7b
|
306
311
|
|
307
|
-
Yields
|
312
|
+
Yields ``WindowsNotepadSavedTabRecord`` or ``WindowsNotepadUnsavedTabRecord`` records:
|
308
313
|
|
309
314
|
.. code-block:: text
|
310
315
|
|
311
|
-
|
312
|
-
|
313
|
-
|
314
|
-
|
315
|
-
|
316
|
-
|
316
|
+
ts (datetime): The modification time of the tab.
|
317
|
+
content (string): The content of the tab.
|
318
|
+
path (path): The path to the tab file.
|
319
|
+
deleted_content (string): The deleted content of the tab, if available.
|
320
|
+
digest (digest): A digest of the tab content.
|
321
|
+
saved_path (path): The path where the tab was saved.
|
317
322
|
"""
|
318
323
|
for file, user in self.users_tabs:
|
319
|
-
|
320
|
-
tab: WindowsNotepadTab = WindowsNotepadTab(file)
|
324
|
+
tab = WindowsNotepadTab(file)
|
321
325
|
|
322
326
|
if tab.is_saved:
|
323
327
|
yield WindowsNotepadSavedTabRecord(
|
328
|
+
ts=wintimestamp(tab.tab_header.timestamp),
|
329
|
+
editor="windowsnotepad",
|
324
330
|
content=tab.content,
|
325
331
|
path=tab.file,
|
326
332
|
deleted_content=tab.deleted_content,
|
327
|
-
|
333
|
+
digest=digest((None, None, tab.tab_header.sha256.hex())),
|
328
334
|
saved_path=tab.tab_header.filePath,
|
329
|
-
|
330
|
-
_target=self.target,
|
335
|
+
source=file,
|
331
336
|
_user=user,
|
337
|
+
_target=self.target,
|
332
338
|
)
|
339
|
+
|
333
340
|
else:
|
334
341
|
yield WindowsNotepadUnsavedTabRecord(
|
342
|
+
editor="windowsnotepad",
|
335
343
|
content=tab.content,
|
344
|
+
deleted_content=tab.deleted_content,
|
336
345
|
path=tab.file,
|
337
|
-
|
346
|
+
source=file,
|
338
347
|
_user=user,
|
339
|
-
|
348
|
+
_target=self.target,
|
340
349
|
)
|
@@ -1,3 +1,5 @@
|
|
1
|
+
from typing import Iterator
|
2
|
+
|
1
3
|
from dissect.target.exceptions import UnsupportedPluginError
|
2
4
|
from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
|
3
5
|
from dissect.target.helpers.record import create_extended_descriptor
|
@@ -14,6 +16,8 @@ ConsoleHostHistoryRecord = create_extended_descriptor([UserRecordDescriptorExten
|
|
14
16
|
|
15
17
|
|
16
18
|
class PowerShellHistoryPlugin(Plugin):
|
19
|
+
"""Windows PowerShell history plugin."""
|
20
|
+
|
17
21
|
PATHS = [
|
18
22
|
"AppData/Roaming/Microsoft/Windows/PowerShell/psreadline",
|
19
23
|
".local/share/powershell/PSReadLine",
|
@@ -35,10 +39,10 @@ class PowerShellHistoryPlugin(Plugin):
|
|
35
39
|
raise UnsupportedPluginError("No ConsoleHost_history.txt files found")
|
36
40
|
|
37
41
|
@export(record=ConsoleHostHistoryRecord)
|
38
|
-
def powershell_history(self):
|
42
|
+
def powershell_history(self) -> Iterator[ConsoleHostHistoryRecord]:
|
39
43
|
"""Return PowerShell command history for all users.
|
40
44
|
|
41
|
-
The PowerShell ConsoleHost_history.txt file contains information about the commands executed with PowerShell in
|
45
|
+
The PowerShell ``ConsoleHost_history.txt`` file contains information about the commands executed with PowerShell in
|
42
46
|
a terminal. No data is recorded from terminal-less PowerShell sessions. Commands are saved to disk after the process has completed.
|
43
47
|
PSReadLine does not save commands containing 'password', 'asplaintext', 'token', 'apikey' or 'secret'.
|
44
48
|
|
@@ -52,7 +52,7 @@ class WgetPlugin(Plugin):
|
|
52
52
|
- https://gitlab.com/gnuwget/wget/-/blob/master/src/hsts.c
|
53
53
|
- https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
54
54
|
|
55
|
-
Yields ``WgetHstsRecord``
|
55
|
+
Yields ``WgetHstsRecord`` records with the following fields:
|
56
56
|
|
57
57
|
.. code-block:: text
|
58
58
|
|
@@ -52,15 +52,13 @@ class WireGuardPlugin(Plugin):
|
|
52
52
|
|
53
53
|
__namespace__ = "wireguard"
|
54
54
|
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
TODO:
|
62
|
-
TODO: parse native network manager formats from MacOS, Ubuntu and Windows.
|
63
|
-
"""
|
55
|
+
# TODO: NetworkManager uses a different stanza format
|
56
|
+
# "/etc/NetworkManager/system-connections/Wireguard*",
|
57
|
+
# TODO: systemd uses a different stanza format
|
58
|
+
# "/etc/systemd/network/wg*.netdev",
|
59
|
+
# "/etc/systemd/network/*wg*.netdev",
|
60
|
+
# TODO: other locations such as $HOME/.config/wireguard
|
61
|
+
# TODO: parse native network manager formats from MacOS, Ubuntu and Windows.
|
64
62
|
|
65
63
|
CONFIG_GLOBS = [
|
66
64
|
# Linux
|
@@ -160,6 +158,8 @@ def _parse_config(content: str) -> ConfigParser:
|
|
160
158
|
|
161
159
|
|
162
160
|
class MultiDict(OrderedDict):
|
161
|
+
"""OrderedDict implementation which allows multiple values for the keys ``Peer`` and ``Interface``."""
|
162
|
+
|
163
163
|
def __init__(self, *args, **kwargs):
|
164
164
|
self._unique = 0
|
165
165
|
super().__init__(*args, **kwargs)
|
@@ -23,6 +23,8 @@ CPANEL_LASTLOGIN_PATTERN = re.compile(
|
|
23
23
|
|
24
24
|
|
25
25
|
class CPanelPlugin(Plugin):
|
26
|
+
"""cPanel webhosting plugin."""
|
27
|
+
|
26
28
|
# TODO: Parse other log files https://support.cartika.com/portal/en/kb/articles/whm-cpanel-log-files-and-locations
|
27
29
|
__namespace__ = "cpanel"
|
28
30
|
|
@@ -1,3 +1,5 @@
|
|
1
|
+
from typing import Iterator
|
2
|
+
|
1
3
|
from dissect.target.exceptions import UnsupportedPluginError
|
2
4
|
from dissect.target.helpers.record import ChildTargetRecord
|
3
5
|
from dissect.target.plugin import ChildTargetPlugin
|
@@ -12,7 +14,7 @@ class ESXiChildTargetPlugin(ChildTargetPlugin):
|
|
12
14
|
if self.target.os != "esxi":
|
13
15
|
raise UnsupportedPluginError("Not an ESXi operating system")
|
14
16
|
|
15
|
-
def list_children(self):
|
17
|
+
def list_children(self) -> Iterator[ChildTargetRecord]:
|
16
18
|
for vm in self.target.vm_inventory():
|
17
19
|
yield ChildTargetRecord(
|
18
20
|
type=self.__type__,
|