From 6fd519da968c3fb1fe1aed3a0f546987f753fc28 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Mon, 15 Apr 2024 11:09:12 +0000 Subject: [PATCH 1/3] Use command type for runkeys --- dissect/target/plugins/os/windows/regf/runkeys.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/dissect/target/plugins/os/windows/regf/runkeys.py b/dissect/target/plugins/os/windows/regf/runkeys.py index d38262f6f..1de9579ef 100644 --- a/dissect/target/plugins/os/windows/regf/runkeys.py +++ b/dissect/target/plugins/os/windows/regf/runkeys.py @@ -1,3 +1,5 @@ +from typing import Iterator + from dissect.target.exceptions import UnsupportedPluginError from dissect.target.helpers.descriptor_extensions import ( RegistryRecordDescriptorExtension, @@ -11,7 +13,7 @@ [ ("datetime", "ts"), ("wstring", "name"), - ("string", "path"), + ("command", "command"), ("string", "key"), ], ) @@ -48,7 +50,7 @@ def check_compatible(self) -> None: raise UnsupportedPluginError("No registry run key found") @export(record=RunKeyRecord) - def runkeys(self): + def runkeys(self) -> Iterator[RunKeyRecord]: """Iterate various run key locations. See source for all locations. Run keys (Run and RunOnce) are registry keys that make a program run when a user logs on. a Run key runs every @@ -63,7 +65,7 @@ def runkeys(self): domain (string): The target domain. ts (datetime): The registry key last modified timestamp. name (string): The run key name. - path (string): The run key path. + command (command): The run key command. key (string): The source key for this run key. """ for key in self.KEYS: @@ -73,7 +75,7 @@ def runkeys(self): yield RunKeyRecord( ts=r.ts, name=entry.name, - path=entry.value, + command=entry.value, key=key, _target=self.target, _key=r, From 1691630aecc7f1c23eeb7643db20e2b3d2586441 Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Wed, 24 Apr 2024 11:46:41 +0000 Subject: [PATCH 2/3] Enable --hash for command types --- dissect/target/helpers/record_modifier.py | 5 ++++- tests/helpers/test_modifier.py | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/dissect/target/helpers/record_modifier.py b/dissect/target/helpers/record_modifier.py index a4f3fc253..7b2698381 100644 --- a/dissect/target/helpers/record_modifier.py +++ b/dissect/target/helpers/record_modifier.py @@ -62,13 +62,16 @@ def _hash_path_records(field_name: str, resolved_path: TargetPath) -> Record: def _resolve_path_types(target: Target, record: Record) -> Iterator[tuple[str, TargetPath]]: for field_name, field_type in record._field_types.items(): - if not issubclass(field_type, fieldtypes.path): + if not issubclass(field_type, (fieldtypes.path, fieldtypes.command)): continue path = getattr(record, field_name, None) if path is None: continue + if isinstance(path, fieldtypes.command): + path = path.executable + yield field_name, target.resolve(str(path)) diff --git a/tests/helpers/test_modifier.py b/tests/helpers/test_modifier.py index 23321915a..1ed83ae12 100644 --- a/tests/helpers/test_modifier.py +++ b/tests/helpers/test_modifier.py @@ -3,7 +3,7 @@ import pytest from flow.record import Record -from flow.record.fieldtypes import digest, path +from flow.record.fieldtypes import command, digest, path from dissect.target import Target from dissect.target.exceptions import FileNotFoundError, IsADirectoryError @@ -32,6 +32,7 @@ def resolve_function() -> ModifierFunc: ({"name": path}, 2), ({"name": path, "test": path}, 3), ({"name": path, "test": str}, 2), + ({"name": command}, 2), ], ) @patch("flow.record.Record") From cbd41cef3c02585d20bec40f68a932d8cb17c10d Mon Sep 17 00:00:00 2001 From: Miauwkeru Date: Fri, 3 May 2024 11:53:12 +0000 Subject: [PATCH 3/3] Update flow.record dependency --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 0e912cfe8..f0a627b09 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -34,7 +34,7 @@ dependencies = [ "dissect.regf>=3.3.dev,<4.0.dev", "dissect.util>=3.0.dev,<4.0.dev", "dissect.volume>=3.0.dev,<4.0.dev", - "flow.record~=3.14.0", + "flow.record~=3.15.0", "structlog", ] dynamic = ["version"]