dissect.target 3.21.dev8__py3-none-any.whl → 3.21.dev10__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dissect/target/plugins/os/windows/catroot.py +8 -2
- dissect/target/plugins/os/windows/regf/cit.py +20 -7
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/METADATA +1 -1
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/RECORD +9 -9
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/LICENSE +0 -0
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/WHEEL +0 -0
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.21.dev8.dist-info → dissect.target-3.21.dev10.dist-info}/top_level.txt +0 -0
|
@@ -227,8 +227,14 @@ class CatrootPlugin(Plugin):
|
|
|
227
227
|
|
|
228
228
|
for record in table.records():
|
|
229
229
|
file_digest = digest()
|
|
230
|
-
|
|
231
|
-
|
|
230
|
+
|
|
231
|
+
try:
|
|
232
|
+
setattr(file_digest, hash_type, record.get("HashCatNameTable_HashCol").hex())
|
|
233
|
+
catroot_names = record.get("HashCatNameTable_CatNameCol").decode().rstrip("|").split("|")
|
|
234
|
+
except Exception as e:
|
|
235
|
+
self.target.log.warning("Unable to parse catroot names for %s in %s", record, ese_file)
|
|
236
|
+
self.target.log.debug("", exc_info=e)
|
|
237
|
+
continue
|
|
232
238
|
|
|
233
239
|
for catroot_name in catroot_names:
|
|
234
240
|
yield CatrootRecord(
|
|
@@ -632,8 +632,8 @@ def local_wintimestamp(target, ts):
|
|
|
632
632
|
class CITPlugin(Plugin):
|
|
633
633
|
"""Plugin that parses CIT data from the registry.
|
|
634
634
|
|
|
635
|
-
|
|
636
|
-
|
|
635
|
+
References:
|
|
636
|
+
- https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
|
|
637
637
|
"""
|
|
638
638
|
|
|
639
639
|
__namespace__ = "cit"
|
|
@@ -641,7 +641,7 @@ class CITPlugin(Plugin):
|
|
|
641
641
|
KEY = "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT"
|
|
642
642
|
|
|
643
643
|
def check_compatible(self) -> None:
|
|
644
|
-
if not
|
|
644
|
+
if not list(self.target.registry.keys(self.KEY)):
|
|
645
645
|
raise UnsupportedPluginError("No CIT registry key found")
|
|
646
646
|
|
|
647
647
|
@export(record=get_args(CITRecords))
|
|
@@ -770,8 +770,9 @@ class CITPlugin(Plugin):
|
|
|
770
770
|
yield from _yield_bitmap_records(
|
|
771
771
|
self.target, cit, entry.use_data.bitmaps.foreground, CITProgramBitmapForegroundRecord
|
|
772
772
|
)
|
|
773
|
-
except Exception:
|
|
774
|
-
self.target.log.
|
|
773
|
+
except Exception as e:
|
|
774
|
+
self.target.log.warning("Failed to parse CIT value: %s", value.name)
|
|
775
|
+
self.target.log.debug("", exc_info=e)
|
|
775
776
|
|
|
776
777
|
@export(record=CITPostUpdateUseInfoRecord)
|
|
777
778
|
def puu(self) -> Iterator[CITPostUpdateUseInfoRecord]:
|
|
@@ -788,10 +789,16 @@ class CITPlugin(Plugin):
|
|
|
788
789
|
for reg_key in keys:
|
|
789
790
|
for key in self.target.registry.keys(reg_key):
|
|
790
791
|
try:
|
|
791
|
-
|
|
792
|
+
key_value = key.value("PUUActive").value
|
|
793
|
+
puu = c_cit.CIT_POST_UPDATE_USE_INFO(key_value)
|
|
792
794
|
except RegistryValueNotFoundError:
|
|
793
795
|
continue
|
|
794
796
|
|
|
797
|
+
except EOFError as e:
|
|
798
|
+
self.target.log.warning("Exception reading CIT structure in key %s", key.path)
|
|
799
|
+
self.target.log.debug("Unable to parse value %s", key_value, exc_info=e)
|
|
800
|
+
continue
|
|
801
|
+
|
|
795
802
|
yield CITPostUpdateUseInfoRecord(
|
|
796
803
|
log_time_start=wintimestamp(puu.LogTimeStart),
|
|
797
804
|
update_key=puu.UpdateKey,
|
|
@@ -852,10 +859,16 @@ class CITPlugin(Plugin):
|
|
|
852
859
|
for reg_key in keys:
|
|
853
860
|
for key in self.target.registry.keys(reg_key):
|
|
854
861
|
try:
|
|
855
|
-
|
|
862
|
+
key_value = key.value("DP").value
|
|
863
|
+
dp = c_cit.CIT_DP_DATA(key_value)
|
|
856
864
|
except RegistryValueNotFoundError:
|
|
857
865
|
continue
|
|
858
866
|
|
|
867
|
+
except EOFError as e:
|
|
868
|
+
self.target.log.warning("Exception reading CIT structure in key %s", key.path)
|
|
869
|
+
self.target.log.debug("Unable to parse value %s", key_value, exc_info=e)
|
|
870
|
+
continue
|
|
871
|
+
|
|
859
872
|
user = self.target.registry.get_user(key)
|
|
860
873
|
log_time_start = wintimestamp(dp.LogTimeStart)
|
|
861
874
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: dissect.target
|
|
3
|
-
Version: 3.21.
|
|
3
|
+
Version: 3.21.dev10
|
|
4
4
|
Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
|
|
5
5
|
Author-email: Dissect Team <dissect@fox-it.com>
|
|
6
6
|
License: Affero General Public License v3
|
|
@@ -281,7 +281,7 @@ dissect/target/plugins/os/windows/_os.py,sha256=SUTfCPEVi2ADfjsQQJad6dEsnKUzRtsK
|
|
|
281
281
|
dissect/target/plugins/os/windows/activitiescache.py,sha256=_I-rc7hAKRgqfFexsJq5nkIAV3E31byG4KeBQeDBehg,7051
|
|
282
282
|
dissect/target/plugins/os/windows/adpolicy.py,sha256=ul8lKlG9ExABnd6yVLMPFFgVxN74CG4T3MvcRuBLHJc,7158
|
|
283
283
|
dissect/target/plugins/os/windows/amcache.py,sha256=1jq-S80_FIzGegrqQ6HqrjmaAPTyxyn69HxnbRBlaUc,27608
|
|
284
|
-
dissect/target/plugins/os/windows/catroot.py,sha256=
|
|
284
|
+
dissect/target/plugins/os/windows/catroot.py,sha256=59KfdNPcoA5NQtpj4_e3wzPDsyB1RYIu049UeIhLuEk,11390
|
|
285
285
|
dissect/target/plugins/os/windows/cim.py,sha256=jsrpu6TZpBUh7VWI9AV2Ib5bebTwsvqOwRfa5gjJd7c,3056
|
|
286
286
|
dissect/target/plugins/os/windows/clfs.py,sha256=begVsZ-CY97Ksh6S1g03LjyBgu8ERY2hfNDWYPj0GXI,4872
|
|
287
287
|
dissect/target/plugins/os/windows/datetime.py,sha256=YKHUZU6lkKJocq15y0yCwvIIOb1Ej-kfvEBmHbrdIGw,9467
|
|
@@ -339,7 +339,7 @@ dissect/target/plugins/os/windows/regf/applications.py,sha256=AZwaLXsVmqMjoZYI3d
|
|
|
339
339
|
dissect/target/plugins/os/windows/regf/appxdebugkeys.py,sha256=X8MYLcD76pIZoIWwS_DgUp6q6pi2WO7jhZeoc4uGLak,3966
|
|
340
340
|
dissect/target/plugins/os/windows/regf/auditpol.py,sha256=vTqWw0_vu9p_emWC8FuYcYQpOXhEFQQDLV0K6-18i9c,5208
|
|
341
341
|
dissect/target/plugins/os/windows/regf/bam.py,sha256=jJ0i-82uteBU0hPgs81f8NV8NCeRtIklK82Me2S_ro0,2131
|
|
342
|
-
dissect/target/plugins/os/windows/regf/cit.py,sha256=
|
|
342
|
+
dissect/target/plugins/os/windows/regf/cit.py,sha256=WYuwzTJKSR8Ki0582zpTpRUApx_J3OIYFWivKgqH-Is,39178
|
|
343
343
|
dissect/target/plugins/os/windows/regf/clsid.py,sha256=ellokL8H7TR8XkGqqWraJ3bL0qP5RJrjNsp4JeBLU7A,3810
|
|
344
344
|
dissect/target/plugins/os/windows/regf/firewall.py,sha256=86JvlBc418nHB5l3IkbEnTw6zr-H5pEGEoZ8fBhmeLE,3231
|
|
345
345
|
dissect/target/plugins/os/windows/regf/mru.py,sha256=JzjwaV3Pbza2oOVILrnqcmPKCq2rGIGFwRpJW8Yc1p0,13840
|
|
@@ -382,10 +382,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
|
|
|
382
382
|
dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
|
|
383
383
|
dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
|
|
384
384
|
dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
|
|
385
|
-
dissect.target-3.21.
|
|
386
|
-
dissect.target-3.21.
|
|
387
|
-
dissect.target-3.21.
|
|
388
|
-
dissect.target-3.21.
|
|
389
|
-
dissect.target-3.21.
|
|
390
|
-
dissect.target-3.21.
|
|
391
|
-
dissect.target-3.21.
|
|
385
|
+
dissect.target-3.21.dev10.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
|
|
386
|
+
dissect.target-3.21.dev10.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
|
|
387
|
+
dissect.target-3.21.dev10.dist-info/METADATA,sha256=x7oCqqHw_L7qxh0mZUQ1G0o-eRng9YQxC3EmtIfoXbo,13187
|
|
388
|
+
dissect.target-3.21.dev10.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
|
|
389
|
+
dissect.target-3.21.dev10.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
|
|
390
|
+
dissect.target-3.21.dev10.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
|
|
391
|
+
dissect.target-3.21.dev10.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|