dissect.target 3.9.dev11__py3-none-any.whl → 3.9.dev13__py3-none-any.whl

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. dissect/target/loaders/targetd.py +1 -0
  2. dissect/target/plugins/apps/shell/__init__.py +0 -0
  3. dissect/target/plugins/{os/windows → apps/shell}/powershell.py +26 -16
  4. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/METADATA +1 -1
  5. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/RECORD +10 -9
  6. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/COPYRIGHT +0 -0
  7. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/LICENSE +0 -0
  8. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/WHEEL +0 -0
  9. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/entry_points.txt +0 -0
  10. {dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/top_level.txt +0 -0
dissect/target/loaders/targetd.py CHANGED
@@ -140,3 +140,4 @@ if TARGETD_AVAILABLE:
140
140
  targetd.easy_connect_remoting(remoting, link, caller.peers)
141
141
  func = getattr(targetd.rpcs, targetd.command)
142
142
  caller.output = list(func())
143
+ targetd.close()
dissect/target/plugins/apps/shell/__init__.py ADDED
File without changes
dissect/target/plugins/{os/windows → apps/shell}/powershell.py RENAMED
@@ -1,30 +1,34 @@
1
- from flow.record.fieldtypes import uri
2
-
3
1
  from dissect.target.exceptions import UnsupportedPluginError
4
2
  from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
5
3
  from dissect.target.helpers.record import create_extended_descriptor
6
4
  from dissect.target.plugin import Plugin, export
7
5
 
8
6
  ConsoleHostHistoryRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
9
- "filesystem/windows/powershell/history",
7
+ "powershell/history",
10
8
  [
11
- ("datetime", "last_modified"),
9
+ ("datetime", "mtime"),
12
10
  ("string", "command"),
13
- ("uri", "path"),
11
+ ("path", "source"),
14
12
  ],
15
13
  )
16
14
 
17
15
 
18
16
  class PowerShellHistoryPlugin(Plugin):
17
+ PATHS = [
18
+ "AppData/Roaming/Microsoft/Windows/PowerShell/psreadline",
19
+ ".local/share/powershell/PSReadLine",
20
+ ]
21
+
19
22
  def __init__(self, target):
20
23
  super().__init__(target)
24
+
21
25
  self._history = []
26
+
22
27
  for user_details in target.user_details.all_with_home():
23
- history_path = user_details.home_path.joinpath(
24
- "AppData/Roaming/Microsoft/Windows/PowerShell/psreadline/consolehost_history.txt"
25
- )
26
- if history_path.exists():
27
- self._history.append((user_details.user, history_path))
28
+ for ps_path in self.PATHS:
29
+ history_path = user_details.home_path.joinpath(ps_path)
30
+ for history_file in history_path.glob("*_history.txt"):
31
+ self._history.append((user_details.user, history_file))
28
32
 
29
33
  def check_compatible(self):
30
34
  if not self._history:
@@ -35,21 +39,27 @@ class PowerShellHistoryPlugin(Plugin):
35
39
  """Return PowerShell command history for all users.
36
40
 
37
41
  The PowerShell ConsoleHost_history.txt file contains information about the commands executed with PowerShell in
38
- a terminal. No data is recorded from terminal-less PowerShell sessions.
42
+ a terminal. No data is recorded from terminal-less PowerShell sessions. Commands are saved to disk after the process has completed.
43
+ PSReadLine does not save commands containing 'password', 'asplaintext', 'token', 'apikey' or 'secret'.
39
44
 
40
45
  References:
41
46
  - https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
42
- """
43
- for user, path in self._history:
44
- for line in path.open("r"):
47
+ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7.3#order-of-commands-in-the-history
48
+ - https://learn.microsoft.com/en-us/powershell/module/psreadline/about/about_psreadline?view=powershell-7.3#command-history
49
+ """ # noqa E501
50
+
51
+ for user, _path in self._history:
52
+ file_mtime = _path.stat().st_mtime
53
+
54
+ for line in _path.open("r"):
45
55
  line = line.strip()
46
56
  if not line:
47
57
  continue
48
58
 
49
59
  yield ConsoleHostHistoryRecord(
50
- last_modified=path.stat().st_mtime,
60
+ mtime=file_mtime,
51
61
  command=line,
52
- path=uri.from_windows(str(path)),
62
+ source=_path,
53
63
  _target=self.target,
54
64
  _user=user,
55
65
  )
{dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: dissect.target
3
- Version: 3.9.dev11
3
+ Version: 3.9.dev13
4
4
  Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
5
5
  Author-email: Dissect Team <dissect@fox-it.com>
6
6
  License: Affero General Public License v3
{dissect.target-3.9.dev11.dist-info → dissect.target-3.9.dev13.dist-info}/RECORD RENAMED
@@ -70,7 +70,7 @@ dissect/target/loaders/res.py,sha256=2IAm-f83fvMUeK5J0g5jNVy2-24k8qKYijimcFvZ47I
70
70
  dissect/target/loaders/tanium.py,sha256=L_OH9bhjbzoGgYwRsQNGJzg9h2JCnfor4e5Ftg_nPVk,1533
71
71
  dissect/target/loaders/tar.py,sha256=55chcbh9CDTczSmSPJ3O1FrfpXaZTTPL28Oqih8rPOA,2998
72
72
  dissect/target/loaders/target.py,sha256=mfkNz586eHb1PuzbwrvRPf9CcoPDLm5wPGFT1_rMH5s,662
73
- dissect/target/loaders/targetd.py,sha256=9Lxbl5GN4MuOStzgJ-QlbCQGLrDLJdyka5onjvliFoY,4407
73
+ dissect/target/loaders/targetd.py,sha256=SD3AvzvHHcsoishoLaTBfFiMUliJjmfQeCrXzhWucD4,4431
74
74
  dissect/target/loaders/vb.py,sha256=CnQcn7bAkMzIB1y-lWLtPPXdIVsyeDaT6hTZEurjkV4,2072
75
75
  dissect/target/loaders/vbox.py,sha256=bOxsUiJ0IKx2GETs12FJkYChXBVatSkvWdLmhR5XPZc,691
76
76
  dissect/target/loaders/velociraptor.py,sha256=X-nks-V1QpuEfzDgI0_MPu_Fi--a4BEL6g8dDn_3lHU,2555
@@ -88,6 +88,8 @@ dissect/target/plugins/apps/remoteaccess/__init__.py,sha256=47DEQpj8HBSa-_TImW-5
88
88
  dissect/target/plugins/apps/remoteaccess/anydesk.py,sha256=eifgJ308gosLSh7cQhjJFuoubI0Z6fNDryFg7u-0ZAM,2518
89
89
  dissect/target/plugins/apps/remoteaccess/remoteaccess.py,sha256=hC77FCcsfYkHi50mQPDI9pfKpDslMA_sM5AeIOqdaQo,2482
90
90
  dissect/target/plugins/apps/remoteaccess/teamviewer.py,sha256=pdk-ELQtR1xpIw38FXm_DZOiald5w1gZznx8ngR-7gk,2571
91
+ dissect/target/plugins/apps/shell/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
92
+ dissect/target/plugins/apps/shell/powershell.py,sha256=qLWlKC6qpbVVLM-uuevzdowEeWmLnuEF04pJw0Ukwxk,2633
91
93
  dissect/target/plugins/apps/vpns/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
92
94
  dissect/target/plugins/apps/vpns/wireguard.py,sha256=LpGwbABhrViMVUJ-QWS1leLHyjwVtIMIp-dzkvarE0c,5773
93
95
  dissect/target/plugins/apps/webservers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -196,7 +198,6 @@ dissect/target/plugins/os/windows/generic.py,sha256=qkTzP5cvzDKUASbVlUU5vb3b102m
196
198
  dissect/target/plugins/os/windows/lnk.py,sha256=AMP_SiJnNzBmosjKMCstQcn2ah0w7MyXeEm_L8YBc4g,7802
197
199
  dissect/target/plugins/os/windows/locale.py,sha256=YlRqFteHGSE-A21flbCKP1jXUTgyXKzaqBEiiQVLFUs,2191
198
200
  dissect/target/plugins/os/windows/notifications.py,sha256=tBgZKnDCXWFtz7chHIo5cKQf2swcTTB3MMcecfTZ-4w,4773
199
- dissect/target/plugins/os/windows/powershell.py,sha256=dsaFb-_vsMZ4aWCUyMKSnUqMmyXaPh0IrOeCxpgehcg,2086
200
201
  dissect/target/plugins/os/windows/prefetch.py,sha256=favUyI5Pywi8Ho8fUye3gnXcM9BqEIMhFcSa1idQQBg,10304
201
202
  dissect/target/plugins/os/windows/recyclebin.py,sha256=aqp1kc8A6k5UTt6ebycuejPd0QJwNIX1xIu21M0CUGU,4926
202
203
  dissect/target/plugins/os/windows/registry.py,sha256=gIKbUTejfcCVz-5vcOrCPbYRLuieNV5BMo891_4_X3A,10034
@@ -255,10 +256,10 @@ dissect/target/volumes/bde.py,sha256=gYGg5yF9MNARwNzEkrEfZmKkxyZW4rhLkpdnPJCbhGk
255
256
  dissect/target/volumes/disk.py,sha256=95grSsPt1BLVpKwTclwQYzPFGKTkFFqapIk0RoGWf38,968
256
257
  dissect/target/volumes/lvm.py,sha256=zXAfszxNR6tOGrKAtAa_E-JhjI-sXQyR4VYLXD-kqCw,1616
257
258
  dissect/target/volumes/vmfs.py,sha256=mlAJ8278tYaoRjk1u6tFFlCaDQUrVu5ZZE4ikiFvxi8,1707
258
- dissect.target-3.9.dev11.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
259
- dissect.target-3.9.dev11.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
260
- dissect.target-3.9.dev11.dist-info/METADATA,sha256=mgoRU0nLOB5rfLcOHMWdIxDfluIXR_4dHWoHuVx0NVU,9752
261
- dissect.target-3.9.dev11.dist-info/WHEEL,sha256=pkctZYzUS4AYVn6dJ-7367OJZivF2e8RA9b_ZBjif18,92
262
- dissect.target-3.9.dev11.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
263
- dissect.target-3.9.dev11.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
264
- dissect.target-3.9.dev11.dist-info/RECORD,,
259
+ dissect.target-3.9.dev13.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
260
+ dissect.target-3.9.dev13.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
261
+ dissect.target-3.9.dev13.dist-info/METADATA,sha256=tRKFN5yNQjNPNEcQHlXh4GKIky9TOwb8So9tgbPAHOU,9752
262
+ dissect.target-3.9.dev13.dist-info/WHEEL,sha256=pkctZYzUS4AYVn6dJ-7367OJZivF2e8RA9b_ZBjif18,92
263
+ dissect.target-3.9.dev13.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
264
+ dissect.target-3.9.dev13.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
265
+ dissect.target-3.9.dev13.dist-info/RECORD,,