dissect.target 3.20.dev39__py3-none-any.whl → 3.20.dev40__py3-none-any.whl

dissect/target/helpers/record.py

@@ -185,3 +185,24 @@ MacInterfaceRecord = TargetRecordDescriptor(
         ("boolean", "dhcp"),
     ],
 )
+
+
+COMMON_APPLICATION_FIELDS = [
+    ("datetime", "ts_modified"),
+    ("datetime", "ts_installed"),
+    ("string", "name"),
+    ("string", "version"),
+    ("string", "author"),
+    ("string", "type"),
+    ("path", "path"),
+]
+
+UnixApplicationRecord = TargetRecordDescriptor(
+    "unix/application",
+    COMMON_APPLICATION_FIELDS,
+)
+
+WindowsApplicationRecord = TargetRecordDescriptor(
+    "windows/application",
+    COMMON_APPLICATION_FIELDS,
+)

dissect/target/helpers/regutil.py

@@ -310,6 +310,7 @@ class VirtualKey(RegistryKey):
         self._class_name = class_name
         self._values: dict[str, RegistryValue] = {}
         self._subkeys: dict[str, RegistryKey] = {}
+        self._timestamp: datetime = None
         self.top: RegistryKey = None
         super().__init__(hive=hive)
 
@@ -339,11 +340,19 @@ class VirtualKey(RegistryKey):
         return self._path
 
     @property
-    def timestamp(self) -> datetime:
+    def timestamp(self) -> datetime | None:
         if self.top:
             return self.top.timestamp
+
+        if self._timestamp:
+            return self._timestamp
+
         return None
 
+    @timestamp.setter
+    def timestamp(self, ts: datetime) -> None:
+        self._timestamp = ts
+
     def subkey(self, subkey: str) -> RegistryKey:
         try:
             return self._subkeys[subkey.lower()]

dissect/target/plugins/os/unix/applications.py

@@ -0,0 +1,78 @@
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers import configutil
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import UnixApplicationRecord
+from dissect.target.plugin import Plugin, export
+from dissect.target.target import Target
+
+
+class UnixApplicationsPlugin(Plugin):
+    """Unix Applications plugin."""
+
+    SYSTEM_PATHS = [
+        "/usr/share/applications/",
+        "/usr/local/share/applications/",
+        "/var/lib/snapd/desktop/applications/",
+        "/var/lib/flatpak/exports/share/applications/",
+    ]
+
+    USER_PATHS = [
+        ".local/share/applications/",
+    ]
+
+    SYSTEM_APPS = ("org.gnome.",)
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.desktop_files = list(self._find_desktop_files())
+
+    def _find_desktop_files(self) -> Iterator[TargetPath]:
+        for dir in self.SYSTEM_PATHS:
+            for file in self.target.fs.path(dir).glob("*.desktop"):
+                yield file
+
+        for user_details in self.target.user_details.all_with_home():
+            for dir in self.USER_PATHS:
+                for file in user_details.home_path.joinpath(dir).glob("*.desktop"):
+                    yield file
+
+    def check_compatible(self) -> None:
+        if not self.desktop_files:
+            raise UnsupportedPluginError("No application .desktop files found")
+
+    @export(record=UnixApplicationRecord)
+    def applications(self) -> Iterator[UnixApplicationRecord]:
+        """Yield installed Unix GUI applications from GNOME and XFCE.
+
+        Resources:
+            - https://wiki.archlinux.org/title/Desktop_entries
+            - https://specifications.freedesktop.org/desktop-entry-spec/latest/
+            - https://unix.stackexchange.com/questions/582928/where-gnome-apps-are-installed
+
+        Yields ``UnixApplicationRecord`` records with the following fields:
+
+        .. code-block:: text
+
+            ts_modified  (datetime): timestamp when the installation was modified
+            ts_installed (datetime): timestamp when the application was installed on the system
+            name         (string):   name of the application
+            version      (string):   version of the application
+            author       (string):   author of the application
+            type         (string):   type of the application, either user or system
+            path         (string):   path to the desktop file entry of the application
+        """
+        for file in self.desktop_files:
+            config = configutil.parse(file, hint="ini").get("Desktop Entry") or {}
+            stat = file.lstat()
+
+            yield UnixApplicationRecord(
+                ts_modified=stat.st_mtime,
+                ts_installed=stat.st_btime if hasattr(stat, "st_btime") else None,
+                name=config.get("Name"),
+                version=config.get("Version"),
+                path=config.get("Exec"),
+                type="system" if config.get("Icon", "").startswith(self.SYSTEM_APPS) else "user",
+                _target=self.target,
+            )

dissect/target/plugins/os/unix/linux/debian/snap.py

@@ -0,0 +1,79 @@
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.filesystems.squashfs import SquashFSFilesystem
+from dissect.target.helpers import configutil
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import UnixApplicationRecord
+from dissect.target.plugin import Plugin, alias, export
+from dissect.target.target import Target
+
+
+class SnapPlugin(Plugin):
+    """Canonical Linux Snapcraft plugin."""
+
+    PATHS = [
+        "/var/lib/snapd/snaps",
+    ]
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.installs = list(self._find_installs())
+
+    def check_compatible(self) -> None:
+        if not configutil.HAS_YAML:
+            raise UnsupportedPluginError("Missing required dependency ruamel.yaml")
+
+        if not self.installs:
+            raise UnsupportedPluginError("No snapd install folder(s) found")
+
+    def _find_installs(self) -> Iterator[TargetPath]:
+        for str_path in self.PATHS:
+            if (path := self.target.fs.path(str_path)).exists():
+                yield path
+
+    @export(record=UnixApplicationRecord)
+    @alias("snaps")
+    def snap(self) -> Iterator[UnixApplicationRecord]:
+        """Yields installed Canonical Linux Snapcraft (snaps) applications on the target system.
+
+        Reads information from installed SquashFS ``*.snap`` files found in ``/var/lib/snapd/snaps``.
+        Logs of the ``snapd`` daemon can be parsed using the ``journal`` or ``syslog`` plugins.
+
+        Resources:
+            - https://github.com/canonical/snapcraft
+            - https://en.wikipedia.org/wiki/Snap_(software)
+
+        Yields ``UnixApplicationRecord`` records with the following fields:
+
+        .. code-block:: text
+
+            ts_modified  (datetime): timestamp when the installation was modified
+            name         (string):   name of the application
+            version      (string):   version of the application
+            path         (string):   path to the application snap file
+        """
+
+        for install_path in self.installs:
+            for snap in install_path.glob("*.snap"):
+                try:
+                    squashfs = SquashFSFilesystem(snap.open())
+
+                except (ValueError, NotImplementedError) as e:
+                    self.target.log.warning("Unable to open snap file %s", snap)
+                    self.target.log.debug("", exc_info=e)
+                    continue
+
+                if not (meta := squashfs.path("meta/snap.yaml")).exists():
+                    self.target.log.warning("Snap %s has no meta/snap.yaml file")
+                    continue
+
+                meta_data = configutil.parse(meta, hint="yaml")
+
+                yield UnixApplicationRecord(
+                    ts_modified=meta.lstat().st_mtime,
+                    name=meta_data.get("name"),
+                    version=meta_data.get("version"),
+                    path=snap,
+                    _target=self.target,
+                )

dissect/target/plugins/os/unix/packagemanager.py

@@ -6,7 +6,7 @@ from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import NamespacePlugin
 
 PackageManagerLogRecord = TargetRecordDescriptor(
-    "unix/log/packagemanager",
+    "unix/packagemanager/log",
     [
         ("datetime", "ts"),
         ("string", "package_manager"),

dissect/target/plugins/os/windows/regf/applications.py

@@ -0,0 +1,62 @@
+from datetime import datetime
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.record import WindowsApplicationRecord
+from dissect.target.plugin import Plugin, export
+from dissect.target.target import Target
+
+
+class WindowsApplicationsPlugin(Plugin):
+    """Windows Applications plugin."""
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.keys = list(self.target.registry.keys("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"))
+
+    def check_compatible(self) -> None:
+        if not self.target.has_function("registry"):
+            raise UnsupportedPluginError("No Windows registry found")
+
+        if not self.keys:
+            raise UnsupportedPluginError("No 'Uninstall' registry keys found")
+
+    @export(record=WindowsApplicationRecord)
+    def applications(self) -> Iterator[WindowsApplicationRecord]:
+        """Yields currently installed applications from the Windows registry.
+
+        Use the Windows eventlog plugin (``evtx``, ``evt``) to parse install and uninstall events
+        of applications and services (e.g. ``4697``, ``110707``, ``1034`` and ``11724``).
+
+        Resources:
+            - https://learn.microsoft.com/en-us/windows/win32/msi/uninstall-registry-key
+
+        Yields ``WindowsApplicationRecord`` records with the following fields:
+
+        .. code-block:: text
+
+            ts_modified  (datetime): timestamp when the installation was modified according to the registry
+            ts_installed (datetime): timestamp when the application was installed according to the application
+            name         (string):   name of the application
+            version      (string):   version of the application
+            author       (string):   author of the application
+            type         (string):   type of the application, either user or system
+            path         (string):   path to the installed location or installer of the application
+        """
+        for uninstall in self.keys:
+            for app in uninstall.subkeys():
+                values = {value.name: value.value for value in app.values()}
+
+                if install_date := values.get("InstallDate"):
+                    install_date = datetime.strptime(install_date, "%Y%m%d")
+
+                yield WindowsApplicationRecord(
+                    ts_modified=app.ts,
+                    ts_installed=install_date,
+                    name=values.get("DisplayName") or app.name,
+                    version=values.get("DisplayVersion"),
+                    author=values.get("Publisher"),
+                    type="system" if values.get("SystemComponent") or not values else "user",
+                    path=values.get("DisplayIcon") or values.get("InstallLocation") or values.get("InstallSource"),
+                    _target=self.target,
+                )

{dissect.target-3.20.dev39.dist-info → dissect.target-3.20.dev40.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.20.dev39
+Version: 3.20.dev40
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.20.dev39.dist-info → dissect.target-3.20.dev40.dist-info}/RECORD

@@ -60,9 +60,9 @@ dissect/target/helpers/mount.py,sha256=7Y4B0uY2c00p23hmuMKSgwAwxkKcY4spyAMO1kdcV
 dissect/target/helpers/mui.py,sha256=i-7XoHbu4WO2fYapK9yGAMW04rFlgRispknc1KQIS5Q,22258
 dissect/target/helpers/polypath.py,sha256=h8p7m_OCNiQljGwoZh5Aflr9H2ot6CZr6WKq1OSw58o,2175
 dissect/target/helpers/protobuf.py,sha256=b4DsnqrRLrefcDjx7rQno-_LBcwtJXxuKf5RdOegzfE,1537
-dissect/target/helpers/record.py,sha256=7Se6ZV8cvwEaGSjRd9bKhVnUAn4W4KR2eqP6AbQhTH4,5892
+dissect/target/helpers/record.py,sha256=TxG1lwW5N0V-7kuq4s2vnQh-hAbT7rVwwZLf4sIDNjM,6334
 dissect/target/helpers/record_modifier.py,sha256=cRNDhUYMmx4iEKyEr5Pqy9xiFgxr_GBNJPp_omkQsEU,4094
-dissect/target/helpers/regutil.py,sha256=ti-ht2N9UxbMjhUBP2bybY76_dAvbCz0txPBszvSKVw,28171
+dissect/target/helpers/regutil.py,sha256=dnmpceitwTeS-9L8HU_HG5OXMzCcH58o8uhj5olDWyg,28383
 dissect/target/helpers/shell_application_ids.py,sha256=hYxrP-YtHK7ZM0ectJFHfoMB8QUXLbYNKmKXMWLZRlA,38132
 dissect/target/helpers/shell_folder_ids.py,sha256=Behhb8oh0kMxrEk6YYKYigCDZe8Hw5QS6iK_d2hTs2Y,24978
 dissect/target/helpers/utils.py,sha256=K3xVq9D0FwIhTBAuiWN8ph7Pq2GABgG3hOz-3AmKuEA,4244
@@ -195,12 +195,13 @@ dissect/target/plugins/general/users.py,sha256=yy9gvRXfN9BT71v4Xqo5hpwfgN9he9Otu
 dissect/target/plugins/os/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/_os.py,sha256=I-waC7Hn9rMJRI2JUDreLnU_LS54Zj3hix7BfJLV-xg,14651
+dissect/target/plugins/os/unix/applications.py,sha256=AUgZRP35FzswGyFyChj2o4dfGO34Amc6nqHgiMEaqdI,3129
 dissect/target/plugins/os/unix/cronjobs.py,sha256=tgWQ3BUZpfyvRzodMwGtwFUdPjZ17k7ZRbZ9Q8wmXPk,3393
 dissect/target/plugins/os/unix/datetime.py,sha256=gKfBdPyUirt3qmVYfOJ1oZXRPn8wRzssbZxR_ARrtk8,1518
 dissect/target/plugins/os/unix/generic.py,sha256=qC4zQiqpm8ilc-d1ITsccOQbbUUM8HylWB4dsFKJjAw,2171
 dissect/target/plugins/os/unix/history.py,sha256=95EXJrD5ko7iFLsYhAwvR-2wDbVBSNsyXsfZKEWMJq8,6533
 dissect/target/plugins/os/unix/locale.py,sha256=l42abqG1nGk90SDRt1DmkvqPvO5L-1GtaEwg6dj89qI,4323
-dissect/target/plugins/os/unix/packagemanager.py,sha256=XKKJuJ1p9mEQ4TGW7SEwcj1rg8fPp2aWIhnt_0i8Rhc,1279
+dissect/target/plugins/os/unix/packagemanager.py,sha256=xmisH9vMY7uR2d6lFVNuWrZrbVnKa6mYk6C3sbcLtlc,1279
 dissect/target/plugins/os/unix/shadow.py,sha256=TVQQcGhPFYV685ouqOagk4P1AsqAHseFN5lWYHPf3tI,4172
 dissect/target/plugins/os/unix/trash.py,sha256=Z-1r5VQorLauj_85TgURRLQI7ns1Q1N_922Vq8q_v18,6106
 dissect/target/plugins/os/unix/bsd/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -240,6 +241,7 @@ dissect/target/plugins/os/unix/linux/debian/__init__.py,sha256=47DEQpj8HBSa-_TIm
 dissect/target/plugins/os/unix/linux/debian/_os.py,sha256=GI19ZqcyfZ1mUYg2NCx93HkZje9MWMU8FYNKQv-G6go,498
 dissect/target/plugins/os/unix/linux/debian/apt.py,sha256=uKfW77pbgxYSe9g6hpih19-xfgvCB954Ygx21j-ydzk,4388
 dissect/target/plugins/os/unix/linux/debian/dpkg.py,sha256=6A3mb77NREdDWDTFrmcfCF_XxHMmD4_5eHqHEl_7Vqg,5816
+dissect/target/plugins/os/unix/linux/debian/snap.py,sha256=YVz1N54eQsj2_22LUJIj6Gg-huwT4xDEcOAZn9Tvgw4,3023
 dissect/target/plugins/os/unix/linux/debian/vyos/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/linux/debian/vyos/_os.py,sha256=TPjcfv1n68RCe3Er4aCVQwQDCZwJT-NLvje3kPjDfhk,1744
 dissect/target/plugins/os/unix/linux/fortios/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -324,6 +326,7 @@ dissect/target/plugins/os/windows/log/pfro.py,sha256=d53Mm7ovZa9crSwVRPwjMVxTd_j
 dissect/target/plugins/os/windows/log/schedlgu.py,sha256=JaP8H8eTEypWXhx2aFSR_IMam6rQiksbLKhMr_U4fz8,5570
 dissect/target/plugins/os/windows/regf/7zip.py,sha256=Ox8cLyQtbyYQS7m4eY3onNv1K8N2IkS5wexrC55Urd4,3444
 dissect/target/plugins/os/windows/regf/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+dissect/target/plugins/os/windows/regf/applications.py,sha256=AZwaLXsVmqMjoZYI3dhYLvJL_8s1k1aRjSgjvqC2AxI,2898
 dissect/target/plugins/os/windows/regf/appxdebugkeys.py,sha256=X8MYLcD76pIZoIWwS_DgUp6q6pi2WO7jhZeoc4uGLak,3966
 dissect/target/plugins/os/windows/regf/auditpol.py,sha256=vTqWw0_vu9p_emWC8FuYcYQpOXhEFQQDLV0K6-18i9c,5208
 dissect/target/plugins/os/windows/regf/bam.py,sha256=jJ0i-82uteBU0hPgs81f8NV8NCeRtIklK82Me2S_ro0,2131
@@ -370,10 +373,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.20.dev39.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.20.dev39.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.20.dev39.dist-info/METADATA,sha256=kytETAlhT5qsu2qAkum-3O6NZxRkd7N0Ytx-GwcMqCE,12897
-dissect.target-3.20.dev39.dist-info/WHEEL,sha256=OVMc5UfuAQiSplgO0_WdW7vXVGAt9Hdd6qtN4HotdyA,91
-dissect.target-3.20.dev39.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.20.dev39.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.20.dev39.dist-info/RECORD,,
+dissect.target-3.20.dev40.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.20.dev40.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.20.dev40.dist-info/METADATA,sha256=sfc-H38qJzXkx1449zv0Y7SgicuUfJeki3JFiC6EJ4c,12897
+dissect.target-3.20.dev40.dist-info/WHEEL,sha256=OVMc5UfuAQiSplgO0_WdW7vXVGAt9Hdd6qtN4HotdyA,91
+dissect.target-3.20.dev40.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.20.dev40.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.20.dev40.dist-info/RECORD,,