From e1ccb3b77469c5d90992d394a4f577890d2f00da Mon Sep 17 00:00:00 2001 From: Schamper <1254028+Schamper@users.noreply.github.com> Date: Tue, 9 Apr 2024 11:33:22 +0200 Subject: [PATCH 1/3] Fallback mount sysvol to C: if not mounted to another drive letter --- dissect/target/plugins/os/windows/_os.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dissect/target/plugins/os/windows/_os.py b/dissect/target/plugins/os/windows/_os.py index b8d94f915..b6f6faa87 100644 --- a/dissect/target/plugins/os/windows/_os.py +++ b/dissect/target/plugins/os/windows/_os.py @@ -1,5 +1,6 @@ from __future__ import annotations +import operator import struct from typing import Any, Iterator, Optional @@ -77,6 +78,10 @@ def add_mounts(self) -> None: self.target.log.warning("Failed to map drive letters") self.target.log.debug("", exc_info=e) + # Fallback mount the sysvol to C: if we didn't manage to mount it to any other drive letter + if operator.countOf(self.target.fs.mounts.values(), self.target.fs.mounts["sysvol"]) == 1: + self.target.fs.mount("c:", self.target.fs.mounts["sysvol"]) + @export(property=True) def hostname(self) -> Optional[str]: key = "HKLM\\SYSTEM\\ControlSet001\\Control\\Computername\\Computername" From 519d513f70ea4310794f207095e04a978495b81b Mon Sep 17 00:00:00 2001 From: Schamper <1254028+Schamper@users.noreply.github.com> Date: Tue, 9 Apr 2024 13:02:48 +0200 Subject: [PATCH 2/3] Tweak --- dissect/target/plugins/os/windows/_os.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dissect/target/plugins/os/windows/_os.py b/dissect/target/plugins/os/windows/_os.py index b6f6faa87..4862c778a 100644 --- a/dissect/target/plugins/os/windows/_os.py +++ b/dissect/target/plugins/os/windows/_os.py @@ -80,7 +80,10 @@ def add_mounts(self) -> None: # Fallback mount the sysvol to C: if we didn't manage to mount it to any other drive letter if operator.countOf(self.target.fs.mounts.values(), self.target.fs.mounts["sysvol"]) == 1: - self.target.fs.mount("c:", self.target.fs.mounts["sysvol"]) + if "c:" not in self.target.fs.mounts: + self.target.fs.mount("c:", self.target.fs.mounts["sysvol"]) + else: + self.target.log.warning("Unknown drive letter for sysvol") @export(property=True) def hostname(self) -> Optional[str]: From 95d8a163df7094fd7ba13ddaad90e4ab03acb786 Mon Sep 17 00:00:00 2001 From: Schamper <1254028+Schamper@users.noreply.github.com> Date: Tue, 9 Apr 2024 13:04:05 +0200 Subject: [PATCH 3/3] Extra log --- dissect/target/plugins/os/windows/_os.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dissect/target/plugins/os/windows/_os.py b/dissect/target/plugins/os/windows/_os.py index 4862c778a..b0bb71361 100644 --- a/dissect/target/plugins/os/windows/_os.py +++ b/dissect/target/plugins/os/windows/_os.py @@ -81,6 +81,7 @@ def add_mounts(self) -> None: # Fallback mount the sysvol to C: if we didn't manage to mount it to any other drive letter if operator.countOf(self.target.fs.mounts.values(), self.target.fs.mounts["sysvol"]) == 1: if "c:" not in self.target.fs.mounts: + self.target.log.debug("Unable to determine drive letter of sysvol, falling back to C:") self.target.fs.mount("c:", self.target.fs.mounts["sysvol"]) else: self.target.log.warning("Unknown drive letter for sysvol")