dissect.target 3.20.dev59__py3-none-any.whl → 3.20.dev61__py3-none-any.whl

dissect/target/plugins/os/windows/log/mssql.py

@@ -0,0 +1,103 @@
+import re
+from datetime import datetime, timezone
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import Plugin, export
+from dissect.target.target import Target
+
+MssqlErrorlogRecord = TargetRecordDescriptor(
+    "microsoft/sql/errorlog",
+    [
+        ("datetime", "ts"),
+        ("string", "instance"),
+        ("string", "process"),
+        ("string", "message"),
+        ("path", "path"),
+    ],
+)
+
+RE_TIMESTAMP_PATTERN = re.compile(r"^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{2}")
+
+
+class MssqlPlugin(Plugin):
+    """Return information related to Microsoft SQL Server.
+
+    Currently returns ERRORLOG messages. These log files contain information such as:
+        - Logon failures
+        - Enabling/disabling of features, such as xp_cmdshell
+
+    References:
+        - https://learn.microsoft.com/en-us/sql/relational-databases/logs/view-offline-log-files
+    """
+
+    __namespace__ = "mssql"
+
+    MSSQL_KEY = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server"
+    FILE_GLOB = "ERRORLOG*"
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.instances = self._find_instances()
+
+    def check_compatible(self) -> None:
+        if not self.instances:
+            raise UnsupportedPluginError("System does not seem to be running SQL Server")
+
+    @export(record=MssqlErrorlogRecord)
+    def errorlog(self) -> Iterator[MssqlErrorlogRecord]:
+        """Return all Microsoft SQL Server ERRORLOG messages.
+
+        These log files contain information such as:
+         - Logon failures
+         - Enabling/disabling of features, such as xp_cmdshell
+
+        Yields MssqlErrorlogRecord instances with fields:
+
+        .. code-block:: text
+
+            ts (datetime): Timestamp of the log line.
+            instance (str): SQL Server instance name.
+            process (str): Process name.
+            message (str): Log message.
+            path (Path): Path to the log file.
+
+        References:
+            - https://learn.microsoft.com/en-us/sql/relational-databases/logs/view-offline-log-files
+        """
+
+        for instance, log_path in self.instances:
+            for errorlog in log_path.glob(self.FILE_GLOB):
+                # The errorlog includes a BOM, so endianess gets determined automatically
+                fh = errorlog.open(mode="rt", encoding="utf-16", errors="surrogateescape")
+                buf = ""
+
+                for line in fh:
+                    if ts := RE_TIMESTAMP_PATTERN.match(line):
+                        yield MssqlErrorlogRecord(
+                            ts=datetime.strptime(ts.group(), "%Y-%m-%d %H:%M:%S.%f").replace(tzinfo=timezone.utc),
+                            instance=instance,
+                            # The process name is a fixed-width field and is always 12 characters long.
+                            process=buf[23:35].strip(),
+                            message=buf[35:].strip(),
+                            path=errorlog,
+                            _target=self.target,
+                        )
+                        buf = ""
+
+                    buf += line
+
+    def _find_instances(self) -> list[str, TargetPath]:
+        instances = []
+
+        for subkey in self.target.registry.key(self.MSSQL_KEY).subkeys():
+            if subkey.name.startswith("MSSQL") and "." in subkey.name:
+                instances.append(
+                    (
+                        subkey.name,
+                        self.target.fs.path(subkey.subkey("SQLServerAgent").value("ErrorLogFile").value).parent,
+                    )
+                )
+        return instances

dissect/target/plugins/os/windows/network.py

@@ -257,7 +257,8 @@ class WindowsNetworkPlugin(NetworkPlugin):
                     continue
 
                 # Extract the network device configuration for given interface id
-                config = self._extract_network_device_config(net_cfg_instance_id)
+                if not (config := self._extract_network_device_config(net_cfg_instance_id)):
+                    continue
 
                 # Extract a network device name for given interface id
                 try:
@@ -313,9 +314,7 @@ class WindowsNetworkPlugin(NetworkPlugin):
                         _target=self.target,
                     )
 
-    def _extract_network_device_config(
-        self, interface_id: str
-    ) -> list[dict[str, str | list], dict[str, str | list]] | None:
+    def _extract_network_device_config(self, interface_id: str) -> list[dict[str, set | bool | None]]:
         """Extract network device configuration from the given interface_id for all ControlSets on the system."""
 
         dhcp_config = {
@@ -344,10 +343,10 @@ class WindowsNetworkPlugin(NetworkPlugin):
                 )
             )
         except RegistryKeyNotFoundError:
-            return None
+            return []
 
         if not len(keys):
-            return None
+            return []
 
         for key in keys:
             # Extract DHCP configuration from the registry

{dissect.target-3.20.dev59.dist-info → dissect.target-3.20.dev61.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.20.dev59
+Version: 3.20.dev61
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.20.dev59.dist-info → dissect.target-3.20.dev61.dist-info}/RECORD

@@ -128,6 +128,7 @@ dissect/target/plugins/apps/browser/firefox.py,sha256=mZBBagFfIdiz9kUyK4Hi989I4g
 dissect/target/plugins/apps/browser/iexplore.py,sha256=g_xw0toaiyjevxO8g9XPCOqc-CXZp39FVquRhPFGdTE,8801
 dissect/target/plugins/apps/container/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/container/docker.py,sha256=LTsZplaECSfO1Ysp_Y-9WsnNocsreu_iHO8fbSif3g0,16221
+dissect/target/plugins/apps/database/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/editor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/editor/editor.py,sha256=yJctXY0XTfwW3GKy6XLO2WaWFQLssdBck9ZOcZSyf80,495
 dissect/target/plugins/apps/editor/windowsnotepad.py,sha256=A9cfFrqbU2zjHRrzYsCnXr-uxKAIsVIKdXXJPYMt6MU,15068
@@ -288,7 +289,7 @@ dissect/target/plugins/os/windows/generic.py,sha256=RJ1znzsIa4CFxmdMh91SjMY_pnjw
 dissect/target/plugins/os/windows/jumplist.py,sha256=3gZk6O1B3lKK2Jxe0B-HapOCEehk94CYNvCVDpQC9nQ,11773
 dissect/target/plugins/os/windows/lnk.py,sha256=KTqhw0JMW-KjAxe4xlRDNSRSx-th-_nPVgTGyBaKmW0,7891
 dissect/target/plugins/os/windows/locale.py,sha256=QiLWGgWrGBGHiXgep5iSOo6VNim4YC-xd4MdW0BUJPA,2486
-dissect/target/plugins/os/windows/network.py,sha256=cffJmQwHJmTAGZkAEKKGxNi1ZYLiDomfOcPczZn85Fo,11284
+dissect/target/plugins/os/windows/network.py,sha256=ni-qK1PyA3UJD3lRJZGEBLAXcwDVKXPa3rIor9G5OSw,11283
 dissect/target/plugins/os/windows/notifications.py,sha256=xxfMEY_noDxMVqvT3QS1a3j-X3qAYikOtT6v2owxuCY,17480
 dissect/target/plugins/os/windows/prefetch.py,sha256=wbbYoy05gWbJfRsM2ci4wPG7kM58OocVwXD3hkQlbRw,10647
 dissect/target/plugins/os/windows/recyclebin.py,sha256=zx58hDCvcrD_eJl9nJmr_i80krSN03ya8nQzWFr2Tw0,4917
@@ -327,6 +328,7 @@ dissect/target/plugins/os/windows/log/amcache.py,sha256=TabtjNx9Ve-u-Fn0K95A0v_S
 dissect/target/plugins/os/windows/log/etl.py,sha256=t5GpunjzYMvAO9CBOP1ynH6053_PlasnIEIvlLNLU10,7255
 dissect/target/plugins/os/windows/log/evt.py,sha256=pYRVK3u309yK5pJoogohHWV2a_Lev8FK2zte_ys4SN8,7133
 dissect/target/plugins/os/windows/log/evtx.py,sha256=eSnMkU7HRmIDZ19WRsF9li08HuEOo51pRJDN2JOua5U,6148
+dissect/target/plugins/os/windows/log/mssql.py,sha256=sn9LZvKTaam15G1Vl2BZp2P6uph7_jw03L8P9NjlMKw,3745
 dissect/target/plugins/os/windows/log/pfro.py,sha256=d53Mm7ovZa9crSwVRPwjMVxTd_jCGtE1Kv07GslX9_s,2789
 dissect/target/plugins/os/windows/log/schedlgu.py,sha256=JaP8H8eTEypWXhx2aFSR_IMam6rQiksbLKhMr_U4fz8,5570
 dissect/target/plugins/os/windows/regf/7zip.py,sha256=Ox8cLyQtbyYQS7m4eY3onNv1K8N2IkS5wexrC55Urd4,3444
@@ -378,10 +380,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.20.dev59.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.20.dev59.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.20.dev59.dist-info/METADATA,sha256=jkede6QAkD-RIMxW9TfSPDOO8cQxqBbjazWLI3vudys,13025
-dissect.target-3.20.dev59.dist-info/WHEEL,sha256=a7TGlA-5DaHMRrarXjVbQagU3Man_dCnGIWMJr5kRWo,91
-dissect.target-3.20.dev59.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.20.dev59.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.20.dev59.dist-info/RECORD,,
+dissect.target-3.20.dev61.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.20.dev61.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.20.dev61.dist-info/METADATA,sha256=-UoGAGzSWeMRJrJOnPGHVZc5KAIQZmIlaomMH2tLE68,13025
+dissect.target-3.20.dev61.dist-info/WHEEL,sha256=R06PA3UVYHThwHvxuRWMqaGcr-PuniXahwjmQRFMEkY,91
+dissect.target-3.20.dev61.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.20.dev61.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.20.dev61.dist-info/RECORD,,

{dissect.target-3.20.dev59.dist-info → dissect.target-3.20.dev61.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (75.4.0)
+Generator: setuptools (75.5.0)
 Root-Is-Purelib: true
 Tag: py3-none-any