Merge branch 'main' into py313-support

Author: JSCU-CNI

dissect/target/helpers/fsutil.py

@@ -516,10 +516,12 @@ def open_decompress(
         An binary or text IO stream, depending on the mode with which the file was opened.
 
     Example:
-        bytes_buf = open_decompress(Path("/dir/file.gz")).read()
+        .. code-block:: python
 
-        for line in open_decompress(Path("/dir/file.gz"), "rt"):
-            print(line)
+            bytes_buf = open_decompress(Path("/dir/file.gz")).read()
+
+            for line in open_decompress(Path("/dir/file.gz"), "rt"):
+                print(line)
     """
     if path and fileobj:
         raise ValueError("path and fileobj are mutually exclusive")
@@ -531,6 +533,7 @@ def open_decompress(
         file = path.open("rb")
     else:
         file = fileobj
+        file.seek(0)
 
     magic = file.read(5)
     file.seek(0)

dissect/target/helpers/localeutil.py

@@ -48,3 +48,5 @@ def _get_resource_path(path: str) -> Path:
     )
     if child.attrib["territory"] == "001"
 }
+
+WINDOWS_ZONE_MAP["UTC"] = "UTC"  # Change 'Etc/UTC' to 'UTC' to be consistent across operating systems.

dissect/target/plugins/apps/vpn/wireguard.py

@@ -15,7 +15,7 @@
         ("string", "name"),  # basename of .conf file if unset
         ("net.ipaddress", "address"),
         ("string", "private_key"),
-        ("string", "listen_port"),
+        ("varint", "listen_port"),
         ("string", "fw_mark"),
         ("string", "dns"),
         ("varint", "table"),

dissect/target/plugins/os/unix/_os.py

@@ -75,7 +75,7 @@ def users(self, sessions: bool = False) -> Iterator[UnixUserRecord]:
         # Yield users found in passwd files.
         for passwd_file in PASSWD_FILES:
             if (path := self.target.fs.path(passwd_file)).exists():
-                for line in path.open("rt"):
+                for line in path.open("rt", errors="surrogateescape"):
                     line = line.strip()
                     if not line or line.startswith("#"):
                         continue
@@ -85,13 +85,12 @@ def users(self, sessions: bool = False) -> Iterator[UnixUserRecord]:
                     current_user = (pwent.get(0), pwent.get(5), pwent.get(6))
                     if current_user in seen_users:
                         continue
-
                     seen_users.add(current_user)
                     yield UnixUserRecord(
                         name=pwent.get(0),
                         passwd=pwent.get(1),
-                        uid=pwent.get(2),
-                        gid=pwent.get(3),
+                        uid=pwent.get(2) or None,
+                        gid=pwent.get(3) or None,
                         gecos=pwent.get(4),
                         home=posix_path(pwent.get(5)),
                         shell=pwent.get(6),

dissect/target/plugins/os/unix/linux/sockets.py

@@ -16,9 +16,9 @@
         ("string", "protocol"),
         ("uint32", "rx_queue"),
         ("uint32", "tx_queue"),
-        ("string", "local_ip"),
+        ("net.ipaddress", "local_ip"),
         ("uint16", "local_port"),
-        ("string", "remote_ip"),
+        ("net.ipaddress", "remote_ip"),
         ("uint16", "remote_port"),
         ("string", "state"),
         ("string", "owner"),

dissect/target/plugins/os/unix/locale.py

@@ -20,12 +20,15 @@
 
 
 def timezone_from_path(path: Path) -> str:
-    """Return timezone name for given zoneinfo path.
+    """Return timezone name for the given zoneinfo path.
 
-    /usr/share/zoneinfo/Europe/Amsterdam -> Europe/Amsterdam
+    .. code-block::
+
+        /usr/share/zoneinfo/Europe/Amsterdam -> Europe/Amsterdam
+        /usr/share/zoneinfo/UTC              -> UTC
+        Etc/UTC                              -> UTC
     """
-    zoneinfo_path = str(path).split("/")
-    return "/".join(zoneinfo_path[-2:])
+    return "/".join([p for p in path.parts[-2:] if p.lower() not in ["zoneinfo", "etc"]])
 
 
 class LocalePlugin(Plugin):
@@ -42,7 +45,7 @@ def timezone(self) -> str | None:
         # on most unix systems
         if (path := self.target.fs.path("/etc/timezone")).exists():
             for line in path.open("rt"):
-                return line.strip()
+                return timezone_from_path(Path(line.strip()))
 
         # /etc/localtime can be a symlink, hardlink or a copy of:
         # eg. /usr/share/zoneinfo/America/New_York

dissect/target/plugins/os/unix/shadow.py

@@ -1,3 +1,6 @@
+from __future__ import annotations
+
+from datetime import datetime, timedelta, timezone
 from typing import Iterator
 
 from dissect.target.exceptions import UnsupportedPluginError
@@ -13,12 +16,12 @@
         ("string", "hash"),
         ("string", "algorithm"),
         ("string", "crypt_param"),
-        ("string", "last_change"),
-        ("varint", "min_age"),
-        ("varint", "max_age"),
+        ("datetime", "last_change"),
+        ("datetime", "min_age"),
+        ("datetime", "max_age"),
         ("varint", "warning_period"),
-        ("string", "inactivity_period"),
-        ("string", "expiration_date"),
+        ("varint", "inactivity_period"),
+        ("datetime", "expiration_date"),
         ("string", "unused_field"),
     ],
 )
@@ -39,6 +42,7 @@ def passwords(self) -> Iterator[UnixShadowRecord]:
 
         Resources:
             - https://manpages.ubuntu.com/manpages/oracular/en/man5/passwd.5.html
+            - https://linux.die.net/man/5/shadow
         """
 
         seen_hashes = set()
@@ -64,19 +68,53 @@ def passwords(self) -> Iterator[UnixShadowRecord]:
 
                     seen_hashes.add(current_hash)
 
+                    # improve readability
+                    last_change = None
+                    min_age = None
+                    max_age = None
+                    expiration_date = None
+
+                    try:
+                        last_change = int(shent.get(2)) if shent.get(2) else None
+                    except ValueError as e:
+                        self.target.log.warning(
+                            "Unable to parse last_change shadow value in %s: %s ('%s')", shadow_file, e, shent.get(2)
+                        )
+
+                    try:
+                        min_age = int(shent.get(3)) if shent.get(3) else None
+                    except ValueError as e:
+                        self.target.log.warning(
+                            "Unable to parse last_change shadow value in %s: %s ('%s')", shadow_file, e, shent.get(3)
+                        )
+
+                    try:
+                        max_age = int(shent.get(4)) if shent.get(4) else None
+                    except ValueError as e:
+                        self.target.log.warning(
+                            "Unable to parse last_change shadow value in %s: %s ('%s')", shadow_file, e, shent.get(4)
+                        )
+
+                    try:
+                        expiration_date = int(shent.get(7)) if shent.get(7) else None
+                    except ValueError as e:
+                        self.target.log.warning(
+                            "Unable to parse last_change shadow value in %s: %s ('%s')", shadow_file, e, shent.get(7)
+                        )
+
                     yield UnixShadowRecord(
                         name=shent.get(0),
                         crypt=shent.get(1),
                         algorithm=crypt.get("algo"),
                         crypt_param=crypt.get("param"),
                         salt=crypt.get("salt"),
                         hash=crypt.get("hash"),
-                        last_change=shent.get(2),
-                        min_age=shent.get(3),
-                        max_age=shent.get(4),
-                        warning_period=shent.get(5),
-                        inactivity_period=shent.get(6),
-                        expiration_date=shent.get(7),
+                        last_change=epoch_days_to_datetime(last_change) if last_change else None,
+                        min_age=epoch_days_to_datetime(last_change + min_age) if last_change and min_age else None,
+                        max_age=epoch_days_to_datetime(last_change + max_age) if last_change and max_age else None,
+                        warning_period=shent.get(5) if shent.get(5) else None,
+                        inactivity_period=shent.get(6) if shent.get(6) else None,
+                        expiration_date=epoch_days_to_datetime(expiration_date) if expiration_date else None,
                         unused_field=shent.get(8),
                         _target=self.target,
                     )
@@ -128,3 +166,11 @@ def extract_crypt_details(shent: dict) -> dict:
         crypt["algo"] = algos[crypt["algo"]]
 
     return crypt
+
+
+def epoch_days_to_datetime(days: int) -> datetime:
+    """Convert a number representing the days since 1 January 1970 to a datetime object."""
+    if not isinstance(days, int):
+        raise ValueError("days argument should be an integer")
+
+    return datetime(1970, 1, 1, 0, 0, tzinfo=timezone.utc) + timedelta(days)

dissect/target/plugins/os/windows/generic.py

@@ -60,7 +60,7 @@
     "filesystem/registry/ndis",
     [
         ("datetime", "ts"),
-        ("string", "network"),
+        ("string", "network_name"),
         ("string", "name"),
         ("string", "pnpinstanceid"),
     ],
@@ -113,7 +113,7 @@
         ("path", "librarypath"),
         ("string", "displaystring"),
         ("bytes", "providerid"),
-        ("string", "enabled"),
+        ("boolean", "enabled"),
         ("string", "version"),
     ],
 )
@@ -408,7 +408,7 @@ def ndis(self) -> Iterator[NdisRecord]:
 
                     yield NdisRecord(
                         ts=network.ts,
-                        network=sub.name,
+                        network_name=sub.name,
                         name=name,
                         pnpinstanceid=pnpinstanceid,
                         _target=self.target,

dissect/target/plugins/os/windows/log/amcache.py

@@ -42,7 +42,7 @@
     ("string", "pe_image"),
     ("string", "pe_subsystem"),
     ("string", "crc_checksum"),
-    ("string", "filesize"),
+    ("filesize", "filesize"),
     ("wstring", "longname"),
     ("string", "msi"),
 ]
@@ -91,7 +91,7 @@ def create_record(
         binary_type=install_properties.get("binarytype"),
         bin_product_version=install_properties.get("binproductversion"),
         bin_file_version=install_properties.get("binfileversion"),
-        filesize=install_properties.get("filesize"),
+        filesize=int(install_properties.get("filesize", "0"), 16),
         pe_image=install_properties.get("peimagetype"),
         product_version=install_properties.get("productversion"),
         crc_checksum=install_properties.get("crcchecksum"),

dissect/target/plugins/os/windows/prefetch.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 
 from io import BytesIO
-from typing import Iterator
+from typing import TYPE_CHECKING, BinaryIO, Iterator
 
 from dissect.cstruct import cstruct
 from dissect.util import lzxpress_huffman
@@ -11,6 +11,11 @@
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, arg, export
 
+if TYPE_CHECKING:
+    from datetime import datetime
+
+    from dissect.target.target import Target
+
 PrefetchRecord = TargetRecordDescriptor(
     "filesystem/ntfs/prefetch",
     [
@@ -167,11 +172,12 @@
     17: (c_prefetch.FILE_INFORMATION_17, c_prefetch.FILE_METRICS_ARRAY_ENTRY_17),
     23: (c_prefetch.FILE_INFORMATION_23, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
     30: (c_prefetch.FILE_INFORMATION_26, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
+    31: (c_prefetch.FILE_INFORMATION_26, c_prefetch.FILE_METRICS_ARRAY_ENTRY_23),
 }
 
 
 class Prefetch:
-    def __init__(self, fh):
+    def __init__(self, fh: BinaryIO):
         header_detect = c_prefetch.PREFETCH_HEADER_DETECT(fh.read(8))
         if header_detect.signature == b"MAM\x04":
             fh = BytesIO(lzxpress_huffman.decompress(fh))
@@ -186,25 +192,27 @@ def __init__(self, fh):
 
         self.parse()
 
-    def identify(self):
+    def identify(self) -> int:
         self.fh.seek(0)
         version = self.header.version
 
         if version in prefetch_version_structs.keys():
             return version
 
-        raise NotImplementedError()
+        raise NotImplementedError
 
-    def parse(self):
+    def parse(self) -> None:
         try:
             file_info_header, file_metrics_header = prefetch_version_structs.get(self.version)
             self.fh.seek(84)
             self.fn = file_info_header(self.fh)
             self.metrics = self.parse_metrics(metric_array_struct=file_metrics_header)
         except KeyError:
-            raise NotImplementedError()
+            raise NotImplementedError
 
-    def parse_metrics(self, metric_array_struct):
+    def parse_metrics(
+        self, metric_array_struct: c_prefetch.FILE_METRICS_ARRAY_ENTRY_17 | c_prefetch.FILE_METRICS_ARRAY_ENTRY_23
+    ) -> list[str | None]:
         metrics = []
         self.fh.seek(self.fn.metrics_array_offset)
         for _ in range(self.fn.number_of_file_metrics_entries):
@@ -216,20 +224,20 @@ def parse_metrics(self, metric_array_struct):
             metrics.append(filename.decode("utf-16-le"))
         return metrics
 
-    def read_filename(self, off, size):
+    def read_filename(self, off: int, size: int) -> bytes:
         offset = self.fh.tell()
         self.fh.seek(off)
         data = self.fh.read(size * 2)
         self.fh.seek(offset)  # reset pointer
         return data
 
     @property
-    def latest_timestamp(self):
+    def latest_timestamp(self) -> datetime:
         """Get the latest execution timestamp inside the prefetch file."""
         return wintimestamp(self.fn.last_run_time)
 
     @property
-    def previous_timestamps(self):
+    def previous_timestamps(self) -> list[datetime | None]:
         """Get the previous timestamps from the prefetch file."""
         try:
             # We check if timestamp actually has a value
@@ -242,7 +250,7 @@ def previous_timestamps(self):
 class PrefetchPlugin(Plugin):
     """Windows prefetch plugin."""
 
-    def __init__(self, target):
+    def __init__(self, target: Target):
         super().__init__(target)
         self.prefetchdir = self.target.fs.path("sysvol/windows/prefetch")