PyPI - dissect.target - Versions diffs - 3.20.dev36__py3-none-any.whl → 3.20.dev39__py3-none-any.whl - Mend

dissect.target 3.20.dev36py3-none-any.whl → 3.20.dev39py3-none-any.whl

Files changed (124) hide show

dissect/target/plugins/os/unix/linux/sockets.py CHANGED Viewed

@@ -64,6 +64,8 @@ PacketSocketRecord = TargetRecordDescriptor(
 class NetSocketPlugin(Plugin):
+    """Linux volatile net sockets plugin."""
     __namespace__ = "sockets"
     def __init__(self, target: Target):

dissect/target/plugins/os/unix/linux/suse/zypper.py CHANGED Viewed

@@ -7,10 +7,13 @@ from dissect.target.helpers.fsutil import open_decompress
 from dissect.target.plugins.os.unix.packagemanager import (
     OperationTypes,
     PackageManagerLogRecord,
+    PackageManagerPlugin,
 )
-class ZypperPlugin(plugin.Plugin):
+class ZypperPlugin(PackageManagerPlugin):
+    """Zypper package manager plugin."""
     __namespace__ = "zypper"
     LOG_DIR_PATH = "/var/log/zypp"

dissect/target/plugins/os/unix/locale.py CHANGED Viewed

@@ -29,6 +29,8 @@ def timezone_from_path(path: Path) -> str:
 class LocalePlugin(Plugin):
+    """Unix locale plugin."""
     def check_compatible(self) -> None:
         pass

dissect/target/plugins/os/unix/locate/gnulocate.py CHANGED Viewed

@@ -1,6 +1,6 @@
 from __future__ import annotations
-from typing import BinaryIO, Iterable
+from typing import BinaryIO, Iterable, Iterator
 from dissect.cstruct import cstruct
@@ -69,6 +69,8 @@ class GNULocateFile:
 class GNULocatePlugin(BaseLocatePlugin):
+    """GNU locate plugin."""
     __namespace__ = "gnulocate"
     path = "/var/cache/locate/locatedb"
@@ -78,7 +80,7 @@ class GNULocatePlugin(BaseLocatePlugin):
             raise UnsupportedPluginError(f"No locatedb file found at {self.path}")
     @export(record=GNULocateRecord)
-    def locate(self) -> GNULocateRecord:
+    def locate(self) -> Iterator[GNULocateRecord]:
         """Yield file and directory names from GNU findutils' locatedb file.
         Resources:

dissect/target/plugins/os/unix/locate/mlocate.py CHANGED Viewed

@@ -115,6 +115,8 @@ class MLocateFile:
 class MLocatePlugin(BaseLocatePlugin):
+    """Unix mlocate plugin."""
     __namespace__ = "mlocate"
     path = "/var/lib/mlocate/mlocate.db"

dissect/target/plugins/os/unix/locate/plocate.py CHANGED Viewed

@@ -163,6 +163,8 @@ class PLocateFile:
 class PLocatePlugin(BaseLocatePlugin):
+    """Unix plocate plugin."""
     __namespace__ = "plocate"
     path = "/var/lib/plocate/plocate.db"
@@ -177,7 +179,7 @@ class PLocatePlugin(BaseLocatePlugin):
             )
     @export(record=PLocateRecord)
-    def locate(self) -> PLocateRecord:
+    def locate(self) -> Iterator[PLocateRecord]:
         """Yield file and directory names from the plocate.db.
         ``plocate`` is the default package on Ubuntu 22 and newer to locate files.

dissect/target/plugins/os/unix/log/atop.py CHANGED Viewed

@@ -247,6 +247,8 @@ class AtopFile:
 class AtopPlugin(Plugin):
+    """Unix atop plugin."""
     ATOP_GLOB = "atop_*"
     ATOP_MAGIC = 0xFEEDBEEF
     ATOP_PATH = "/var/log/atop"

dissect/target/plugins/os/unix/log/audit.py CHANGED Viewed

@@ -24,6 +24,8 @@ AUDIT_REGEX = re.compile(r"^type=(?P<audit_type>.*) msg=audit\((?P<ts>.*):(?P<au
 class AuditPlugin(Plugin):
+    """Unix audit log plugin."""
     def __init__(self, target):
         super().__init__(target)
         self.log_paths = self.get_log_paths()
@@ -51,7 +53,7 @@ class AuditPlugin(Plugin):
         return log_paths
-    @export(record=[AuditRecord])
+    @export(record=AuditRecord)
     def audit(self) -> Iterator[AuditRecord]:
         """Return CentOS and RedHat audit information stored in /var/log/audit*.

dissect/target/plugins/os/unix/log/auth.py CHANGED Viewed

@@ -22,17 +22,19 @@ RE_TS_AND_HOSTNAME = re.compile(_TS_REGEX + r"\s\S+\s")
 class AuthPlugin(Plugin):
+    """Unix auth log plugin."""
     def check_compatible(self) -> None:
         var_log = self.target.fs.path("/var/log")
         if not any(var_log.glob("auth.log*")) and not any(var_log.glob("secure*")):
             raise UnsupportedPluginError("No auth log files found")
-    @export(record=[AuthLogRecord])
+    @export(record=AuthLogRecord)
     def securelog(self) -> Iterator[AuthLogRecord]:
         """Return contents of /var/log/auth.log* and /var/log/secure*."""
         return self.authlog()
-    @export(record=[AuthLogRecord])
+    @export(record=AuthLogRecord)
     def authlog(self) -> Iterator[AuthLogRecord]:
         """Return contents of /var/log/auth.log* and /var/log/secure*."""

dissect/target/plugins/os/unix/log/lastlog.py CHANGED Viewed

@@ -1,4 +1,4 @@
-from typing import BinaryIO
+from typing import BinaryIO, Iterator
 from dissect.cstruct import cstruct
 from dissect.util import ts
@@ -52,13 +52,15 @@ class LastLogFile:
 class LastLogPlugin(Plugin):
+    """Unix lastlog plugin."""
     def check_compatible(self) -> None:
         lastlog = self.target.fs.path("/var/log/lastlog")
         if not lastlog.exists():
             raise UnsupportedPluginError("No lastlog file found")
-    @export(record=[LastLogRecord])
-    def lastlog(self):
+    @export(record=LastLogRecord)
+    def lastlog(self) -> Iterator[LastLogRecord]:
         """Return last logins information from /var/log/lastlog.
         The lastlog file contains the most recent logins of all users on a Unix based operating system.

dissect/target/plugins/os/unix/log/messages.py CHANGED Viewed

@@ -34,6 +34,8 @@ RE_CLOUD_INIT_LINE = re.compile(
 class MessagesPlugin(Plugin):
+    """Unix messages log plugin."""
     def __init__(self, target: Target):
         super().__init__(target)
         self.log_files = set(self._find_log_files())

dissect/target/plugins/os/unix/log/utmp.py CHANGED Viewed

@@ -168,6 +168,8 @@ class UtmpFile:
 class UtmpPlugin(Plugin):
+    """Unix utmp log plugin."""
     WTMP_GLOB = "/var/log/wtmp*"
     BTMP_GLOB = "/var/log/btmp*"
@@ -180,7 +182,7 @@ class UtmpPlugin(Plugin):
         ):
             raise UnsupportedPluginError("No WTMP or BTMP log files found")
-    @export(record=[BtmpRecord])
+    @export(record=BtmpRecord)
     def btmp(self) -> Iterator[BtmpRecord]:
         """Return failed login attempts stored in the btmp file.
@@ -207,7 +209,7 @@ class UtmpPlugin(Plugin):
                     _target=self.target,
                 )
-    @export(record=[WtmpRecord])
+    @export(record=WtmpRecord)
     def wtmp(self) -> Iterator[WtmpRecord]:
         """Return the content of the wtmp log files.

dissect/target/plugins/os/unix/packagemanager.py CHANGED Viewed

@@ -1,12 +1,9 @@
 from __future__ import annotations
 from enum import Enum
-from typing import Iterator
-from dissect.target import Target
-from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import Plugin, export
+from dissect.target.plugin import NamespacePlugin
 PackageManagerLogRecord = TargetRecordDescriptor(
     "unix/log/packagemanager",
@@ -22,6 +19,8 @@ PackageManagerLogRecord = TargetRecordDescriptor(
 class OperationTypes(Enum):
+    """Valid operation types."""
     Install = "install"
     Update = "update"
     Downgrade = "downgrade"
@@ -45,37 +44,5 @@ class OperationTypes(Enum):
         return OperationTypes.Other
-class PackageManagerPlugin(Plugin):
+class PackageManagerPlugin(NamespacePlugin):
     __namespace__ = "packagemanager"
-    __findable__ = False
-    TOOLS = [
-        "apt",
-        "yum",
-        "zypper",
-    ]
-    def __init__(self, target: Target):
-        super().__init__(target)
-        self._plugins = []
-        for entry in self.TOOLS:
-            try:
-                self._plugins.append(getattr(self.target, entry))
-            except Exception:
-                target.log.exception(f"Failed to load tool plugin: {entry}")
-    def check_compatible(self) -> None:
-        if not len(self._plugins):
-            raise UnsupportedPluginError("No compatible plugins found")
-    def _func(self, f: str) -> Iterator[PackageManagerLogRecord]:
-        for p in self._plugins:
-            try:
-                yield from getattr(p, f)()
-            except Exception:
-                self.target.log.exception("Failed to execute package manager plugin: %s.%s", p._name, f)
-    @export(record=PackageManagerLogRecord)
-    def logs(self) -> Iterator[PackageManagerLogRecord]:
-        """Returns logs from all available Unix package managers."""
-        yield from self._func("logs")

dissect/target/plugins/os/unix/shadow.py CHANGED Viewed

@@ -25,6 +25,8 @@ UnixShadowRecord = TargetRecordDescriptor(
 class ShadowPlugin(Plugin):
+    """Unix shadow passwords plugin."""
     def check_compatible(self) -> None:
         if not self.target.fs.path("/etc/shadow").exists():
             raise UnsupportedPluginError("No shadow file found")
@@ -36,7 +38,7 @@ class ShadowPlugin(Plugin):
         """Yield shadow records from /etc/shadow files.
         Resources:
-            - https://manpages.ubuntu.com/manpages/oracular/en/man5/passwd.5.html#file:/etc/shadow
+            - https://manpages.ubuntu.com/manpages/oracular/en/man5/passwd.5.html
         """
         seen_hashes = set()

dissect/target/plugins/os/unix/trash.py CHANGED Viewed

@@ -59,7 +59,7 @@ class GnomeTrashPlugin(Plugin):
             - https://github.com/GNOME/glib/blob/main/gio/glocalfile.c
             - https://specifications.freedesktop.org/basedir-spec/latest/
-        Yields ``TrashRecord``s with the following fields:
+        Yields ``TrashRecord`` records with the following fields:
         .. code-block:: text

dissect/target/plugins/os/windows/activitiescache.py CHANGED Viewed

@@ -1,3 +1,8 @@
+from __future__ import annotations
+from datetime import datetime
+from typing import Iterator
 from dissect.sql import sqlite3
 from dissect.util.ts import from_unix
@@ -42,8 +47,8 @@ class ActivitiesCachePlugin(Plugin):
     """Plugin that parses the ActivitiesCache.db on newer Windows 10 machines.
     References:
-        https://www.cclsolutionsgroup.com/resources/technical-papers
-        https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/
+        - https://www.cclsolutionsgroup.com/resources/technical-papers
+        - https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/
     """
     def __init__(self, target):
@@ -62,7 +67,7 @@ class ActivitiesCachePlugin(Plugin):
             raise UnsupportedPluginError("No ActiviesCache.db files found")
     @export(record=ActivitiesCacheRecord)
-    def activitiescache(self):
+    def activitiescache(self) -> Iterator[ActivitiesCacheRecord]:
         """Return ActivitiesCache.db database content.
         The Windows Activities Cache database keeps track of activity on a device, such as application and services
@@ -143,7 +148,7 @@ class ActivitiesCachePlugin(Plugin):
                 )
-def mkts(ts):
+def mkts(ts: int) -> datetime | None:
     """Timestamps inside ActivitiesCache.db are stored in a Unix-like format.
     Source: https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/

dissect/target/plugins/os/windows/adpolicy.py CHANGED Viewed

@@ -1,4 +1,5 @@
 from struct import unpack
+from typing import Iterator
 from defusedxml import ElementTree
 from dissect.cstruct import cstruct
@@ -90,7 +91,7 @@ class ADPolicyPlugin(Plugin):
                 self.target.log.warning("Unable to read XML policy file: %s", error)
     @export(record=ADPolicyRecord)
-    def adpolicy(self):
+    def adpolicy(self) -> Iterator[ADPolicyRecord]:
         """Return all AD policies (also known as GPOs or Group Policy Objects).
         An Active Directory (AD) maintains global policies that should be adhered by all systems in the domain.

dissect/target/plugins/os/windows/amcache.py CHANGED Viewed

@@ -1,4 +1,7 @@
+from __future__ import annotations
 from datetime import datetime, timezone
+from typing import Iterator
 from dissect.util.ts import wintimestamp
@@ -292,13 +295,13 @@ class AmcachePluginOldMixin:
                     )
     @export(record=ProgramsAppcompatRecord)
-    def programs(self):
+    def programs(self) -> Iterator[ProgramsAppcompatRecord]:
         """Return Programs records from Amcache hive."""
         if self.amcache:
             yield from self.parse_programs()
     @export(record=FileAppcompatRecord)
-    def files(self):
+    def files(self) -> Iterator[FileAppcompatRecord]:
         """Return File records from Amcache hive."""
         if self.amcache:
             yield from self.parse_file()
@@ -321,9 +324,9 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
         * InventoryApplicationShortcut
     References:
-        https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
-        https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
-        https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/
+        - https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
+        - https://cyber.gouv.fr/sites/default/files/2019/01/anssi-coriin_2019-analysis_amcache.pdf
+        - https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/
     """
@@ -545,7 +548,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             )
     @export(record=ApplicationAppcompatRecord)
-    def applications(self):
+    def applications(self) -> Iterator[ApplicationAppcompatRecord]:
         """Return InventoryApplication records from Amcache hive.
         Amcache is a registry hive that stores information about executed programs. The InventoryApplication key holds
@@ -559,7 +562,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             yield from self.parse_inventory_application()
     @export(record=ApplicationFileAppcompatRecord)
-    def application_files(self):
+    def application_files(self) -> Iterator[ApplicationFileAppcompatRecord]:
         """Return InventoryApplicationFile records from Amcache hive.
         Amcache is a registry hive that stores information about executed programs. The InventoryApplicationFile key
@@ -573,7 +576,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             yield from self.parse_inventory_application_file()
     @export(record=BinaryAppcompatRecord)
-    def drivers(self):
+    def drivers(self) -> Iterator[BinaryAppcompatRecord]:
         """Return InventoryDriverBinary records from Amcache hive.
         Amcache is a registry hive that stores information about executed programs. The InventoryDriverBinary key holds
@@ -588,7 +591,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             yield from self.parse_inventory_driver_binary()
     @export(record=ShortcutAppcompatRecord)
-    def shortcuts(self):
+    def shortcuts(self) -> Iterator[ShortcutAppcompatRecord]:
         """Return InventoryApplicationShortcut records from Amcache hive.
         Amcache is a registry hive that stores information about executed programs. The InventoryApplicationShortcut
@@ -604,7 +607,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             yield from self.parse_inventory_application_shortcut()
     @export(record=ContainerAppcompatRecord)
-    def device_containers(self):
+    def device_containers(self) -> Iterator[ContainerAppcompatRecord]:
         """Return InventoryDeviceContainer records from Amcache hive.
         Amcache is a registry hive that stores information about executed programs. The InventoryDeviceContainer key
@@ -619,7 +622,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             yield from self.parse_inventory_device_container()
     @export(record=AppLaunchAppcompatRecord)
-    def applaunches(self):
+    def applaunches(self) -> Iterator[AppLaunchAppcompatRecord]:
         """Return AppLaunchAppcompatRecord records from Amcache applaunch files (Windows 11 22H2 or later).
         TODO: Research C:\\Windows\\appcompat\\pca\\PcaGeneralDb0.txt and
@@ -641,11 +644,11 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
                 )
-def parse_win_datetime(value: str):
+def parse_win_datetime(value: str) -> datetime | None:
     if value:
         return datetime.strptime(value, "%m/%d/%Y %H:%M:%S")
-def parse_win_timestamp(value: str):
+def parse_win_timestamp(value: str) -> datetime | None:
     if value:
         return wintimestamp(value)

dissect/target/plugins/os/windows/defender.py CHANGED Viewed

@@ -4,7 +4,7 @@ import re
 from datetime import datetime, timezone
 from io import BytesIO
 from pathlib import Path
-from typing import Any, BinaryIO, Generator, Iterable, Iterator, TextIO, Union
+from typing import Any, BinaryIO, Iterable, Iterator, TextIO
 import dissect.util.ts as ts
 from dissect.cstruct import cstruct
@@ -434,7 +434,7 @@ class MicrosoftDefenderPlugin(plugin.Plugin):
             raise UnsupportedPluginError("No Defender objects found")
     @plugin.export(record=DefenderLogRecord)
-    def evtx(self) -> Generator[Record, None, None]:
+    def evtx(self) -> Iterator[DefenderLogRecord]:
         """Parse Microsoft Defender evtx log files"""
         defender_evtx_field_names = [field_name for _, field_name in DEFENDER_EVTX_FIELDS]
@@ -458,7 +458,7 @@ class MicrosoftDefenderPlugin(plugin.Plugin):
             yield DefenderLogRecord(**record_fields, _target=self.target)
     @plugin.export(record=[DefenderQuarantineRecord, DefenderFileQuarantineRecord])
-    def quarantine(self) -> Iterator[Union[DefenderQuarantineRecord, DefenderFileQuarantineRecord]]:
+    def quarantine(self) -> Iterator[DefenderQuarantineRecord | DefenderFileQuarantineRecord]:
         """Parse the quarantine folder of Microsoft Defender for quarantine entry resources.
         Quarantine entry resources contain metadata about detected threats that Microsoft Defender has placed in

dissect/target/plugins/os/windows/dpapi/keyprovider/credhist.py CHANGED Viewed

@@ -8,6 +8,8 @@ from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
 class CredHistKeyProviderPlugin(KeyProviderPlugin):
+    """Windows CREDHIST SHA1-hash key provider plugin."""
     __namespace__ = "_dpapi_keyprovider_credhist"
     def check_compatible(self) -> None:
@@ -16,6 +18,7 @@ class CredHistKeyProviderPlugin(KeyProviderPlugin):
     @export(output="yield")
     def keys(self) -> Iterator[tuple[str, str]]:
+        """Yield Windows CREDHIST SHA1 hashes."""
         for credhist in self.target.credhist():
             if value := getattr(credhist, "sha1"):
                 yield self.__namespace__, value

dissect/target/plugins/os/windows/dpapi/keyprovider/empty.py CHANGED Viewed

@@ -7,6 +7,8 @@ from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
 class EmptyKeyProviderPlugin(KeyProviderPlugin):
+    """Empty key provider plugin."""
     __namespace__ = "_dpapi_keyprovider_empty"
     def check_compatible(self) -> None:
@@ -14,4 +16,5 @@ class EmptyKeyProviderPlugin(KeyProviderPlugin):
     @export(output="yield")
     def keys(self) -> Iterator[tuple[str, str]]:
+        """Yield an empty string."""
         yield self.__namespace__, ""

dissect/target/plugins/os/windows/dpapi/keyprovider/keychain.py CHANGED Viewed

@@ -8,6 +8,8 @@ from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
 class KeychainKeyProviderPlugin(KeyProviderPlugin):
+    """Keychain key provider plugin."""
     __namespace__ = "_dpapi_keyprovider_keychain"
     def check_compatible(self) -> None:
@@ -15,6 +17,7 @@ class KeychainKeyProviderPlugin(KeyProviderPlugin):
     @export(output="yield")
     def keys(self) -> Iterator[tuple[str, str]]:
+        """Yield keychain passphrases."""
         for key in keychain.get_keys_for_provider("user") + keychain.get_keys_without_provider():
             if key.key_type == keychain.KeyType.PASSPHRASE:
                 yield self.__namespace__, key.value

dissect/target/plugins/os/windows/dpapi/keyprovider/lsa.py CHANGED Viewed

@@ -21,6 +21,8 @@ c_defaultpassword = cstruct().load(defaultpassword_def)
 class LSADefaultPasswordKeyProviderPlugin(KeyProviderPlugin):
+    """Windows LSA DefaultPassword key provider plugin."""
     __namespace__ = "_dpapi_keyprovider_lsa_defaultpassword"
     def check_compatible(self) -> None:
@@ -29,6 +31,7 @@ class LSADefaultPasswordKeyProviderPlugin(KeyProviderPlugin):
     @export(output="yield")
     def keys(self) -> Iterator[tuple[str, str]]:
+        """Yield Windows LSA DefaultPassword strings."""
         if default_pass := self.target.lsa._secrets.get("DefaultPassword"):
             try:
                 value = c_defaultpassword.DefaultPassword(default_pass).data

dissect/target/plugins/os/windows/env.py CHANGED Viewed

@@ -314,8 +314,7 @@ class EnvironmentVariablePlugin(Plugin):
     def user_env(self, user_sid: Optional[str] = None) -> OrderedDict[str, str]:
         """Return a dict of all found (user) environment variables.
-        If no ``user_sid` is provided, this function will return just the
-        system environment variables.
+        If no ``user_sid`` is provided, this function will return just the system environment variables.
         """
         return self._get_user_env_vars(user_sid)

dissect/target/plugins/os/windows/exchange/exchange.py CHANGED Viewed

@@ -3,13 +3,15 @@ from dissect.target.plugin import Plugin, export
 class ExchangePlugin(Plugin):
+    """Microsoft Exchange Server plugin."""
     __namespace__ = "exchange"
     def check_compatible(self) -> None:
         if not len(self.install_paths()):
             raise UnsupportedPluginError("No Exchange install path found")
-    def install_paths(self):
+    def install_paths(self) -> list[str]:
         paths = []
         key = "HKLM\\SOFTWARE\\Microsoft\\ExchangeServer"
         for reg_key in self.target.registry.keys(key):
@@ -23,9 +25,9 @@ class ExchangePlugin(Plugin):
         return paths
-    @export
-    def transport_agents(self):
-        """Return the content of the config file for Transport Agents for Microsoft Exchange.
+    @export(output="none")
+    def transport_agents(self) -> None:
+        """Print the content of the config file for Transport Agents for Microsoft Exchange.
         A Transport Agent is additional software on a Microsoft Exchange server that allows for custom processing of
         email messages that go through the transport pipeline.

dissect.target 3.20.dev36__py3-none-any.whl → 3.20.dev39__py3-none-any.whl

dissect.target 3.20.dev36py3-none-any.whl → 3.20.dev39py3-none-any.whl