Merge branch 'main' into py313-support

Author: JSCU-CNI

dissect/target/plugins/apps/other/env.py

@@ -31,9 +31,11 @@ def envfile(self, env_path: str, extension: str = "env") -> Iterator[Environment
 
         if not env_path:
             self.target.log.error("No ``--path`` provided!")
+            return
 
         if not (path := self.target.fs.path(env_path)).exists():
             self.target.log.error("Provided path %s does not exist!", path)
+            return
 
         for file in path.glob("**/*." + extension):
             if not file.is_file():

dissect/target/plugins/os/unix/log/journal.py

@@ -315,9 +315,18 @@ def __iter__(self) -> Iterator[dict[str, int | str]]:
         offset = self.header.entry_array_offset
         while offset != 0:
             self.fh.seek(offset)
+            object_type = self.fh.read(1)[0]
 
-            if self.fh.read(1)[0] != c_journal.ObjectType.OBJECT_ENTRY_ARRAY:
-                raise ValueError(f"Expected OBJECT_ENTRY_ARRAY at offset {offset}")
+            if object_type == c_journal.ObjectType.OBJECT_UNUSED:
+                self.target.log.warning(
+                    "ObjectType OBJECT_UNUSED encountered for next OBJECT_ENTRY_ARRAY offset at 0x%X. "
+                    "This indicates allocated space in the journal file which is not used yet.",
+                    offset,
+                )
+                break
+
+            elif object_type != c_journal.ObjectType.OBJECT_ENTRY_ARRAY:
+                raise ValueError(f"Expected OBJECT_ENTRY_ARRAY or OBJECT_UNUSED at offset {offset}")
 
             if self.header.incompatible_flags & c_journal.IncompatibleFlag.HEADER_INCOMPATIBLE_COMPACT:
                 entry_array_object = c_journal.EntryArrayObject_Compact(self.fh)

dissect/target/plugins/os/windows/credential/credhist.py

@@ -125,7 +125,7 @@ def _parse(self) -> Iterator[CredHistEntry]:
                 yield CredHistEntry(
                     version=entry.dwVersion,
                     guid=UUID(bytes_le=entry.guidLink),
-                    user_sid=read_sid(entry.pSid),
+                    user_sid=read_sid(entry.pSid) if entry.pSid else None,
                     hash_alg=HashAlgorithm.from_id(entry.algHash),
                     cipher_alg=cipher_alg,
                     sha1=None,

dissect/target/plugins/os/windows/generic.py

@@ -611,11 +611,12 @@ def sid(self) -> Iterator[ComputerSidRecord]:
 
         try:
             key = self.target.registry.key("HKLM\\SECURITY\\Policy\\PolMachineAccountS")
+            raw_sid = key.value("(Default)").value
 
             yield ComputerSidRecord(
                 ts=key.timestamp,
                 sidtype="Domain",
-                sid=read_sid(key.value("(Default)").value),
+                sid=read_sid(raw_sid) if raw_sid else None,
                 _target=self.target,
             )
         except (RegistryError, struct.error):

dissect/target/plugins/os/windows/regf/cam.py

@@ -0,0 +1,118 @@
+from typing import Iterator
+
+from dissect.util.ts import wintimestamp
+from flow.record.fieldtypes import windows_path
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import (
+    RegistryRecordDescriptorExtension,
+    UserRecordDescriptorExtension,
+)
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.helpers.regutil import RegistryKey, RegistryValueNotFoundError
+from dissect.target.plugin import Plugin, export
+from dissect.target.target import Target
+
+CamRecord = create_extended_descriptor([RegistryRecordDescriptorExtension, UserRecordDescriptorExtension])(
+    "windows/registry/cam",
+    [
+        ("datetime", "ts"),
+        ("string", "device"),
+        ("string", "app_name"),
+        ("path", "path"),
+        ("datetime", "last_started"),
+        ("datetime", "last_stopped"),
+        ("varint", "duration"),
+    ],
+)
+
+
+class CamPlugin(Plugin):
+    """Plugin that iterates various Capability Access Manager registry key locations."""
+
+    CONSENT_STORES = [
+        "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore",
+        "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore",
+    ]
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.app_regf_keys = self._find_apps()
+
+    def _find_apps(self) -> list[RegistryKey]:
+        apps = []
+        for store in self.target.registry.keys(self.CONSENT_STORES):
+            for key in store.subkeys():
+                apps.append(key)
+
+        return apps
+
+    def check_compatible(self) -> None:
+        if not self.app_regf_keys:
+            raise UnsupportedPluginError("No Capability Access Manager keys found")
+
+    def yield_apps(self) -> Iterator[RegistryKey]:
+        for app in self.app_regf_keys:
+            for key in app.subkeys():
+                if key.name == "NonPackaged":  # NonPackaged registry key has more apps, so yield those apps
+                    yield from key.subkeys()
+                else:
+                    yield key
+
+    @export(record=CamRecord)
+    def cam(self) -> Iterator[CamRecord]:
+        """Iterate Capability Access Manager key locations.
+
+        The Capability Access Manager keeps track of processes that access I/O devices, like the webcam or microphone.
+        Applications are divided into packaged and non-packaged applications meaning Microsoft or
+        non-Microsoft applications.
+
+        References:
+            - https://docs.velociraptor.app/exchange/artifacts/pages/windows.registry.capabilityaccessmanager/
+            - https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+
+        Yields ``CamRecord`` with the following fields:
+
+        .. code-block:: text
+
+            hostname (string): The target hostname.
+            domain (string): The target domain.
+            ts (datetime): The modification timestamp of the registry key.
+            device (string): Name of the device privacy permission where asked for.
+            app_name (string): The name of the application.
+            path (path): The possible path to the application.
+            last_started (datetime): When the application last started using the device.
+            last_stopped (datetime): When the application last stopped using the device.
+            duration (datetime): How long the application used the device (seconds).
+        """
+
+        for key in self.yield_apps():
+            last_started = None
+            last_stopped = None
+            duration = None
+
+            try:
+                last_started = wintimestamp(key.value("LastUsedTimeStart").value)
+            except RegistryValueNotFoundError:
+                self.target.log.warning("No LastUsedTimeStart for application: %s", key.name)
+
+            try:
+                last_stopped = wintimestamp(key.value("LastUsedTimeStop").value)
+            except RegistryValueNotFoundError:
+                self.target.log.warning("No LastUsedTimeStop for application: %s", key.name)
+
+            if last_started and last_stopped:
+                duration = (last_stopped - last_started).seconds
+
+            yield CamRecord(
+                ts=key.ts,
+                device=key.path.split("\\")[-2],
+                app_name=key.name,
+                path=windows_path(key.name.replace("#", "\\")) if "#" in key.name else None,
+                last_started=last_started,
+                last_stopped=last_stopped,
+                duration=duration,
+                _target=self.target,
+                _key=key,
+                _user=self.target.registry.get_user(key),
+            )

dissect/target/plugins/os/windows/task_helpers/tasks_xml.py

@@ -1,3 +1,5 @@
+from __future__ import annotations
+
 import warnings
 from typing import Iterator, Optional
 from xml.etree.ElementTree import Element
@@ -157,8 +159,8 @@ def strip_namespace(self, data: Element) -> Element:
         return data
 
     def get_element(
-        self, xml_path: str, xml_data: Optional[Element] = None, attribute: Optional[str] = None
-    ) -> Optional[str]:
+        self, xml_path: str, xml_data: Element | None = None, attribute: Optional[str] = None
+    ) -> str | None:
         """Get the value of the specified XML element.
 
         Args:
@@ -179,7 +181,7 @@ def get_element(
 
         return data.text
 
-    def get_raw(self, xml_path: Optional[str] = None) -> str:
+    def get_raw(self, xml_path: str | None = None) -> str:
         """Get the raw XML data of the specified element.
 
         Args:

dissect/target/plugins/os/windows/tasks.py

@@ -1,21 +1,16 @@
 from __future__ import annotations
 
-import logging
-import warnings
-from typing import Iterator, Union
+from typing import Iterator
 
 from flow.record import GroupedRecord
 
 from dissect.target import Target
-from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.exceptions import InvalidTaskError, UnsupportedPluginError
 from dissect.target.helpers.record import DynamicDescriptor, TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
 from dissect.target.plugins.os.windows.task_helpers.tasks_job import AtTask
 from dissect.target.plugins.os.windows.task_helpers.tasks_xml import ScheduledTasks
 
-warnings.simplefilter(action="ignore", category=FutureWarning)
-log = logging.getLogger(__name__)
-
 TaskRecord = TargetRecordDescriptor(
     "filesystem/windows/task",
     [
@@ -118,7 +113,7 @@ def check_compatible(self) -> None:
             raise UnsupportedPluginError("No task files")
 
     @export(record=DynamicDescriptor(["path", "datetime"]))
-    def tasks(self) -> Iterator[Union[TaskRecord, GroupedRecord]]:
+    def tasks(self) -> Iterator[TaskRecord | GroupedRecord]:
         """Return all scheduled tasks on a Windows system.
 
         On a Windows system, a scheduled task is a program or script that is executed on a specific time or at specific
@@ -132,7 +127,12 @@ def tasks(self) -> Iterator[Union[TaskRecord, GroupedRecord]]:
         """
         for task_file in self.task_files:
             if not task_file.suffix or task_file.suffix == ".xml":
-                task_objects = ScheduledTasks(task_file).tasks
+                try:
+                    task_objects = ScheduledTasks(task_file).tasks
+                except InvalidTaskError as e:
+                    self.target.log.warning("Invalid task file encountered: %s", task_file)
+                    self.target.log.debug("", exc_info=e)
+                    continue
             else:
                 task_objects = [AtTask(task_file, self.target)]
 

tests/_data/plugins/os/unix/log/journal/system.journal

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bd34a41863a93619bff6389d760dd3417652dc42083776bd8a13fa6a0725178e
+size 8388608

tests/_data/plugins/os/unix/log/journal/unused.journal

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eb19305d131360a8b6ea15f8db3c906cb0bb10c92e2b29a3155cbbcf67cc53c2
+size 8388608

tests/_data/plugins/os/unix/log/journal/user-1000.journal

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d5dfb012b37018e9c39826ab0f44cd583045964c417e19bbaacbaefa74122da0
+size 16777216