dissect.target 3.21.dev8__py3-none-any.whl → 3.21.dev10__py3-none-any.whl
Sign up to get free protection for your applications and to get access to all the features.
- dissect/target/plugins/os/windows/catroot.py +8 -2
- dissect/target/plugins/os/windows/regf/cit.py +20 -7
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/METADATA +1 -1
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/RECORD +9 -9
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/LICENSE +0 -0
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/WHEEL +0 -0
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/top_level.txt +0 -0
|
@@ -227,8 +227,14 @@ class CatrootPlugin(Plugin):
|
|
|
227
227
|
|
|
228
228
|
for record in table.records():
|
|
229
229
|
file_digest = digest()
|
|
230
|
-
|
|
231
|
-
|
|
230
|
+
|
|
231
|
+
try:
|
|
232
|
+
setattr(file_digest, hash_type, record.get("HashCatNameTable_HashCol").hex())
|
|
233
|
+
catroot_names = record.get("HashCatNameTable_CatNameCol").decode().rstrip("|").split("|")
|
|
234
|
+
except Exception as e:
|
|
235
|
+
self.target.log.warning("Unable to parse catroot names for %s in %s", record, ese_file)
|
|
236
|
+
self.target.log.debug("", exc_info=e)
|
|
237
|
+
continue
|
|
232
238
|
|
|
233
239
|
for catroot_name in catroot_names:
|
|
234
240
|
yield CatrootRecord(
|
|
@@ -632,8 +632,8 @@ def local_wintimestamp(target, ts):
|
|
|
632
632
|
class CITPlugin(Plugin):
|
|
633
633
|
"""Plugin that parses CIT data from the registry.
|
|
634
634
|
|
|
635
|
-
|
|
636
|
-
|
|
635
|
+
References:
|
|
636
|
+
- https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
|
|
637
637
|
"""
|
|
638
638
|
|
|
639
639
|
__namespace__ = "cit"
|
|
@@ -641,7 +641,7 @@ class CITPlugin(Plugin):
|
|
|
641
641
|
KEY = "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT"
|
|
642
642
|
|
|
643
643
|
def check_compatible(self) -> None:
|
|
644
|
-
if not
|
|
644
|
+
if not list(self.target.registry.keys(self.KEY)):
|
|
645
645
|
raise UnsupportedPluginError("No CIT registry key found")
|
|
646
646
|
|
|
647
647
|
@export(record=get_args(CITRecords))
|
|
@@ -770,8 +770,9 @@ class CITPlugin(Plugin):
|
|
|
770
770
|
yield from _yield_bitmap_records(
|
|
771
771
|
self.target, cit, entry.use_data.bitmaps.foreground, CITProgramBitmapForegroundRecord
|
|
772
772
|
)
|
|
773
|
-
except Exception:
|
|
774
|
-
self.target.log.
|
|
773
|
+
except Exception as e:
|
|
774
|
+
self.target.log.warning("Failed to parse CIT value: %s", value.name)
|
|
775
|
+
self.target.log.debug("", exc_info=e)
|
|
775
776
|
|
|
776
777
|
@export(record=CITPostUpdateUseInfoRecord)
|
|
777
778
|
def puu(self) -> Iterator[CITPostUpdateUseInfoRecord]:
|
|
@@ -788,10 +789,16 @@ class CITPlugin(Plugin):
|
|
|
788
789
|
for reg_key in keys:
|
|
789
790
|
for key in self.target.registry.keys(reg_key):
|
|
790
791
|
try:
|
|
791
|
-
|
|
792
|
+
key_value = key.value("PUUActive").value
|
|
793
|
+
puu = c_cit.CIT_POST_UPDATE_USE_INFO(key_value)
|
|
792
794
|
except RegistryValueNotFoundError:
|
|
793
795
|
continue
|
|
794
796
|
|
|
797
|
+
except EOFError as e:
|
|
798
|
+
self.target.log.warning("Exception reading CIT structure in key %s", key.path)
|
|
799
|
+
self.target.log.debug("Unable to parse value %s", key_value, exc_info=e)
|
|
800
|
+
continue
|
|
801
|
+
|
|
795
802
|
yield CITPostUpdateUseInfoRecord(
|
|
796
803
|
log_time_start=wintimestamp(puu.LogTimeStart),
|
|
797
804
|
update_key=puu.UpdateKey,
|
|
@@ -852,10 +859,16 @@ class CITPlugin(Plugin):
|
|
|
852
859
|
for reg_key in keys:
|
|
853
860
|
for key in self.target.registry.keys(reg_key):
|
|
854
861
|
try:
|
|
855
|
-
|
|
862
|
+
key_value = key.value("DP").value
|
|
863
|
+
dp = c_cit.CIT_DP_DATA(key_value)
|
|
856
864
|
except RegistryValueNotFoundError:
|
|
857
865
|
continue
|
|
858
866
|
|
|
867
|
+
except EOFError as e:
|
|
868
|
+
self.target.log.warning("Exception reading CIT structure in key %s", key.path)
|
|
869
|
+
self.target.log.debug("Unable to parse value %s", key_value, exc_info=e)
|
|
870
|
+
continue
|
|
871
|
+
|
|
859
872
|
user = self.target.registry.get_user(key)
|
|
860
873
|
log_time_start = wintimestamp(dp.LogTimeStart)
|
|
861
874
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: dissect.target
|
|
3
|
-
Version: 3.21.
|
|
3
|
+
Version: 3.21.dev10
|
|
4
4
|
Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
|
|
5
5
|
Author-email: Dissect Team <dissect@fox-it.com>
|
|
6
6
|
License: Affero General Public License v3
|
|
@@ -281,7 +281,7 @@ dissect/target/plugins/os/windows/_os.py,sha256=SUTfCPEVi2ADfjsQQJad6dEsnKUzRtsK
|
|
|
281
281
|
dissect/target/plugins/os/windows/activitiescache.py,sha256=_I-rc7hAKRgqfFexsJq5nkIAV3E31byG4KeBQeDBehg,7051
|
|
282
282
|
dissect/target/plugins/os/windows/adpolicy.py,sha256=ul8lKlG9ExABnd6yVLMPFFgVxN74CG4T3MvcRuBLHJc,7158
|
|
283
283
|
dissect/target/plugins/os/windows/amcache.py,sha256=1jq-S80_FIzGegrqQ6HqrjmaAPTyxyn69HxnbRBlaUc,27608
|
|
284
|
-
dissect/target/plugins/os/windows/catroot.py,sha256=
|
|
284
|
+
dissect/target/plugins/os/windows/catroot.py,sha256=59KfdNPcoA5NQtpj4_e3wzPDsyB1RYIu049UeIhLuEk,11390
|
|
285
285
|
dissect/target/plugins/os/windows/cim.py,sha256=jsrpu6TZpBUh7VWI9AV2Ib5bebTwsvqOwRfa5gjJd7c,3056
|
|
286
286
|
dissect/target/plugins/os/windows/clfs.py,sha256=begVsZ-CY97Ksh6S1g03LjyBgu8ERY2hfNDWYPj0GXI,4872
|
|
287
287
|
dissect/target/plugins/os/windows/datetime.py,sha256=YKHUZU6lkKJocq15y0yCwvIIOb1Ej-kfvEBmHbrdIGw,9467
|
|
@@ -339,7 +339,7 @@ dissect/target/plugins/os/windows/regf/applications.py,sha256=AZwaLXsVmqMjoZYI3d
|
|
|
339
339
|
dissect/target/plugins/os/windows/regf/appxdebugkeys.py,sha256=X8MYLcD76pIZoIWwS_DgUp6q6pi2WO7jhZeoc4uGLak,3966
|
|
340
340
|
dissect/target/plugins/os/windows/regf/auditpol.py,sha256=vTqWw0_vu9p_emWC8FuYcYQpOXhEFQQDLV0K6-18i9c,5208
|
|
341
341
|
dissect/target/plugins/os/windows/regf/bam.py,sha256=jJ0i-82uteBU0hPgs81f8NV8NCeRtIklK82Me2S_ro0,2131
|
|
342
|
-
dissect/target/plugins/os/windows/regf/cit.py,sha256=
|
|
342
|
+
dissect/target/plugins/os/windows/regf/cit.py,sha256=WYuwzTJKSR8Ki0582zpTpRUApx_J3OIYFWivKgqH-Is,39178
|
|
343
343
|
dissect/target/plugins/os/windows/regf/clsid.py,sha256=ellokL8H7TR8XkGqqWraJ3bL0qP5RJrjNsp4JeBLU7A,3810
|
|
344
344
|
dissect/target/plugins/os/windows/regf/firewall.py,sha256=86JvlBc418nHB5l3IkbEnTw6zr-H5pEGEoZ8fBhmeLE,3231
|
|
345
345
|
dissect/target/plugins/os/windows/regf/mru.py,sha256=JzjwaV3Pbza2oOVILrnqcmPKCq2rGIGFwRpJW8Yc1p0,13840
|
|
@@ -382,10 +382,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
|
|
|
382
382
|
dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
|
|
383
383
|
dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
|
|
384
384
|
dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
|
|
385
|
-
dissect.target-3.21.
|
|
386
|
-
dissect.target-3.21.
|
|
387
|
-
dissect.target-3.21.
|
|
388
|
-
dissect.target-3.21.
|
|
389
|
-
dissect.target-3.21.
|
|
390
|
-
dissect.target-3.21.
|
|
391
|
-
dissect.target-3.21.
|
|
385
|
+
dissect.target-3.21.dev10.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
|
|
386
|
+
dissect.target-3.21.dev10.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
|
|
387
|
+
dissect.target-3.21.dev10.dist-info/METADATA,sha256=x7oCqqHw_L7qxh0mZUQ1G0o-eRng9YQxC3EmtIfoXbo,13187
|
|
388
|
+
dissect.target-3.21.dev10.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
|
|
389
|
+
dissect.target-3.21.dev10.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
|
|
390
|
+
dissect.target-3.21.dev10.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
|
|
391
|
+
dissect.target-3.21.dev10.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|