dissect.target 3.9.dev11__py3-none-any.whl → 3.9.dev13__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. dissect/target/loaders/targetd.py +1 -0
  2. dissect/target/plugins/apps/shell/__init__.py +0 -0
  3. dissect/target/plugins/{os/windows → apps/shell}/powershell.py +26 -16
  4. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/METADATA +1 -1
  5. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/RECORD +10 -9
  6. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/COPYRIGHT +0 -0
  7. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/LICENSE +0 -0
  8. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/WHEEL +0 -0
  9. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/entry_points.txt +0 -0
  10. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/top_level.txt +0 -0
dissect/target/loaders/targetd.py CHANGED
@@ -140,3 +140,4 @@ if TARGETD_AVAILABLE:
140
140
  targetd.easy_connect_remoting(remoting, link, caller.peers)
141
141
  func = getattr(targetd.rpcs, targetd.command)
142
142
  caller.output = list(func())
143
+ targetd.close()
dissect/target/plugins/apps/shell/__init__.py ADDED
File without changes
dissect/target/plugins/{os/windows → apps/shell}/powershell.py RENAMED
@@ -1,30 +1,34 @@
1
- from flow.record.fieldtypes import uri
2
-
3
1
  from dissect.target.exceptions import UnsupportedPluginError
4
2
  from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
5
3
  from dissect.target.helpers.record import create_extended_descriptor
6
4
  from dissect.target.plugin import Plugin, export
7
5
 
8
6
  ConsoleHostHistoryRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
9
- "filesystem/windows/powershell/history",
7
+ "powershell/history",
10
8
  [
11
- ("datetime", "last_modified"),
9
+ ("datetime", "mtime"),
12
10
  ("string", "command"),
13
- ("uri", "path"),
11
+ ("path", "source"),
14
12
  ],
15
13
  )
16
14
 
17
15
 
18
16
  class PowerShellHistoryPlugin(Plugin):
17
+ PATHS = [
18
+ "AppData/Roaming/Microsoft/Windows/PowerShell/psreadline",
19
+ ".local/share/powershell/PSReadLine",
20
+ ]
21
+
19
22
  def __init__(self, target):
20
23
  super().__init__(target)
24
+
21
25
  self._history = []
26
+
22
27
  for user_details in target.user_details.all_with_home():
23
- history_path = user_details.home_path.joinpath(
24
- "AppData/Roaming/Microsoft/Windows/PowerShell/psreadline/consolehost_history.txt"
25
- )
26
- if history_path.exists():
27
- self._history.append((user_details.user, history_path))
28
+ for ps_path in self.PATHS:
29
+ history_path = user_details.home_path.joinpath(ps_path)
30
+ for history_file in history_path.glob("*_history.txt"):
31
+ self._history.append((user_details.user, history_file))
28
32
 
29
33
  def check_compatible(self):
30
34
  if not self._history:
@@ -35,21 +39,27 @@ class PowerShellHistoryPlugin(Plugin):
35
39
  """Return PowerShell command history for all users.
36
40
 
37
41
  The PowerShell ConsoleHost_history.txt file contains information about the commands executed with PowerShell in
38
- a terminal. No data is recorded from terminal-less PowerShell sessions.
42
+ a terminal. No data is recorded from terminal-less PowerShell sessions. Commands are saved to disk after the process has completed.
43
+ PSReadLine does not save commands containing 'password', 'asplaintext', 'token', 'apikey' or 'secret'.
39
44
 
40
45
  References:
41
46
  - https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
42
- """
43
- for user, path in self._history:
44
- for line in path.open("r"):
47
+ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7.3#order-of-commands-in-the-history
48
+ - https://learn.microsoft.com/en-us/powershell/module/psreadline/about/about_psreadline?view=powershell-7.3#command-history
49
+ """ # noqa E501
50
+
51
+ for user, _path in self._history:
52
+ file_mtime = _path.stat().st_mtime
53
+
54
+ for line in _path.open("r"):
45
55
  line = line.strip()
46
56
  if not line:
47
57
  continue
48
58
 
49
59
  yield ConsoleHostHistoryRecord(
50
- last_modified=path.stat().st_mtime,
60
+ mtime=file_mtime,
51
61
  command=line,
52
- path=uri.from_windows(str(path)),
62
+ source=_path,
53
63
  _target=self.target,
54
64
  _user=user,
55
65
  )
{dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: dissect.target
3
- Version: 3.9.dev11
3
+ Version: 3.9.dev13
4
4
  Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
5
5
  Author-email: Dissect Team <dissect@fox-it.com>
6
6
  License: Affero General Public License v3
{dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/RECORD RENAMED
@@ -70,7 +70,7 @@ dissect/target/loaders/res.py,sha256=2IAm-f83fvMUeK5J0g5jNVy2-24k8qKYijimcFvZ47I
70
70
  dissect/target/loaders/tanium.py,sha256=L_OH9bhjbzoGgYwRsQNGJzg9h2JCnfor4e5Ftg_nPVk,1533
71
71
  dissect/target/loaders/tar.py,sha256=55chcbh9CDTczSmSPJ3O1FrfpXaZTTPL28Oqih8rPOA,2998
72
72
  dissect/target/loaders/target.py,sha256=mfkNz586eHb1PuzbwrvRPf9CcoPDLm5wPGFT1_rMH5s,662
73
- dissect/target/loaders/targetd.py,sha256=9Lxbl5GN4MuOStzgJ-QlbCQGLrDLJdyka5onjvliFoY,4407
73
+ dissect/target/loaders/targetd.py,sha256=SD3AvzvHHcsoishoLaTBfFiMUliJjmfQeCrXzhWucD4,4431
74
74
  dissect/target/loaders/vb.py,sha256=CnQcn7bAkMzIB1y-lWLtPPXdIVsyeDaT6hTZEurjkV4,2072
75
75
  dissect/target/loaders/vbox.py,sha256=bOxsUiJ0IKx2GETs12FJkYChXBVatSkvWdLmhR5XPZc,691
76
76
  dissect/target/loaders/velociraptor.py,sha256=X-nks-V1QpuEfzDgI0_MPu_Fi--a4BEL6g8dDn_3lHU,2555
@@ -88,6 +88,8 @@ dissect/target/plugins/apps/remoteaccess/__init__.py,sha256=47DEQpj8HBSa-_TImW-5
88
88
  dissect/target/plugins/apps/remoteaccess/anydesk.py,sha256=eifgJ308gosLSh7cQhjJFuoubI0Z6fNDryFg7u-0ZAM,2518
89
89
  dissect/target/plugins/apps/remoteaccess/remoteaccess.py,sha256=hC77FCcsfYkHi50mQPDI9pfKpDslMA_sM5AeIOqdaQo,2482
90
90
  dissect/target/plugins/apps/remoteaccess/teamviewer.py,sha256=pdk-ELQtR1xpIw38FXm_DZOiald5w1gZznx8ngR-7gk,2571
91
+ dissect/target/plugins/apps/shell/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
92
+ dissect/target/plugins/apps/shell/powershell.py,sha256=qLWlKC6qpbVVLM-uuevzdowEeWmLnuEF04pJw0Ukwxk,2633
91
93
  dissect/target/plugins/apps/vpns/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
92
94
  dissect/target/plugins/apps/vpns/wireguard.py,sha256=LpGwbABhrViMVUJ-QWS1leLHyjwVtIMIp-dzkvarE0c,5773
93
95
  dissect/target/plugins/apps/webservers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -196,7 +198,6 @@ dissect/target/plugins/os/windows/generic.py,sha256=qkTzP5cvzDKUASbVlUU5vb3b102m
196
198
  dissect/target/plugins/os/windows/lnk.py,sha256=AMP_SiJnNzBmosjKMCstQcn2ah0w7MyXeEm_L8YBc4g,7802
197
199
  dissect/target/plugins/os/windows/locale.py,sha256=YlRqFteHGSE-A21flbCKP1jXUTgyXKzaqBEiiQVLFUs,2191
198
200
  dissect/target/plugins/os/windows/notifications.py,sha256=tBgZKnDCXWFtz7chHIo5cKQf2swcTTB3MMcecfTZ-4w,4773
199
- dissect/target/plugins/os/windows/powershell.py,sha256=dsaFb-_vsMZ4aWCUyMKSnUqMmyXaPh0IrOeCxpgehcg,2086
200
201
  dissect/target/plugins/os/windows/prefetch.py,sha256=favUyI5Pywi8Ho8fUye3gnXcM9BqEIMhFcSa1idQQBg,10304
201
202
  dissect/target/plugins/os/windows/recyclebin.py,sha256=aqp1kc8A6k5UTt6ebycuejPd0QJwNIX1xIu21M0CUGU,4926
202
203
  dissect/target/plugins/os/windows/registry.py,sha256=gIKbUTejfcCVz-5vcOrCPbYRLuieNV5BMo891_4_X3A,10034
@@ -255,10 +256,10 @@ dissect/target/volumes/bde.py,sha256=gYGg5yF9MNARwNzEkrEfZmKkxyZW4rhLkpdnPJCbhGk
255
256
  dissect/target/volumes/disk.py,sha256=95grSsPt1BLVpKwTclwQYzPFGKTkFFqapIk0RoGWf38,968
256
257
  dissect/target/volumes/lvm.py,sha256=zXAfszxNR6tOGrKAtAa_E-JhjI-sXQyR4VYLXD-kqCw,1616
257
258
  dissect/target/volumes/vmfs.py,sha256=mlAJ8278tYaoRjk1u6tFFlCaDQUrVu5ZZE4ikiFvxi8,1707
258
- dissect.target-3.9.dev11.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
259
- dissect.target-3.9.dev11.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
260
- dissect.target-3.9.dev11.dist-info/METADATA,sha256=mgoRU0nLOB5rfLcOHMWdIxDfluIXR_4dHWoHuVx0NVU,9752
261
- dissect.target-3.9.dev11.dist-info/WHEEL,sha256=pkctZYzUS4AYVn6dJ-7367OJZivF2e8RA9b_ZBjif18,92
262
- dissect.target-3.9.dev11.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
263
- dissect.target-3.9.dev11.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
264
- dissect.target-3.9.dev11.dist-info/RECORD,,
259
+ dissect.target-3.9.dev13.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
260
+ dissect.target-3.9.dev13.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
261
+ dissect.target-3.9.dev13.dist-info/METADATA,sha256=tRKFN5yNQjNPNEcQHlXh4GKIky9TOwb8So9tgbPAHOU,9752
262
+ dissect.target-3.9.dev13.dist-info/WHEEL,sha256=pkctZYzUS4AYVn6dJ-7367OJZivF2e8RA9b_ZBjif18,92
263
+ dissect.target-3.9.dev13.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
264
+ dissect.target-3.9.dev13.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
265
+ dissect.target-3.9.dev13.dist-info/RECORD,,