Fix inconsistent duplicate field mappings in various plugins (part 2) (#1189)

Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>

Author: JSCU-CNI

dissect/target/helpers/regutil.py

@@ -5,7 +5,6 @@
 import fnmatch
 import re
 from collections import defaultdict
-from enum import IntEnum
 from functools import cached_property
 from io import BytesIO
 from typing import TYPE_CHECKING, BinaryIO, NewType, TextIO, Union
@@ -17,6 +16,7 @@
     RegistryKeyNotFoundError,
     RegistryValueNotFoundError,
 )
+from dissect.target.helpers.utils import IntEnumMissing
 
 if TYPE_CHECKING:
     from collections.abc import Iterator
@@ -33,7 +33,7 @@
 """The possible value types that can be returned from the registry."""
 
 
-class RegistryValueType(IntEnum):
+class RegistryValueType(IntEnumMissing):
     """Registry value types as defined in ``winnt.h``.
 
     Resources:
@@ -54,14 +54,6 @@ class RegistryValueType(IntEnum):
     RESOURCE_REQUIREMENTS_LIST = c_regf.REG_RESOURCE_REQUIREMENTS_LIST
     QWORD = c_regf.REG_QWORD
 
-    @classmethod
-    def _missing_(cls, value: int) -> IntEnum:
-        # Allow values other than defined members
-        member = int.__new__(cls, value)
-        member._name_ = None
-        member._value_ = value
-        return member
-
 
 class RegistryHive:
     """Base class for registry hives."""

dissect/target/helpers/utils.py

@@ -4,7 +4,7 @@
 import re
 import urllib.parse
 from datetime import datetime, timezone, tzinfo
-from enum import Enum
+from enum import Enum, IntEnum
 from typing import TYPE_CHECKING, BinaryIO, TypeVar
 
 from dissect.util.ts import from_unix
@@ -53,6 +53,17 @@ class StrEnum(str, Enum):
     """Sortable and serializible string-based enum."""
 
 
+class IntEnumMissing(IntEnum):
+    """Integer-based enum that allows for values other than defined members."""
+
+    @classmethod
+    def _missing_(cls, value: int) -> IntEnum:
+        member = int.__new__(cls, value)
+        member._name_ = str(value)
+        member._value_ = value
+        return member
+
+
 def parse_path_uri(path: Path) -> tuple[str | None, str | None, str | None]:
     if path is None:
         return None, None, None

dissect/target/plugins/apps/av/symantec.py

@@ -27,8 +27,8 @@
         ("path", "source_file"),
         ("string", "action_taken"),
         ("string", "virus_type"),
-        ("varint", "scan_id"),
-        ("varint", "quarantine_id"),
+        ("string", "scan_id"),
+        ("string", "quarantine_id"),
         ("varint", "virus_id"),
         ("varint", "depth"),
         ("boolean", "still_infected"),
@@ -312,7 +312,7 @@ def logs(self) -> Iterator[SEPLogRecord]:
             source_file (path): File that contains the virus.
             action_taken (string): Action taken by SEP.
             virus_type (string): Description of the type of virus.
-            scan_id (varint): ID of the scan associated with the event.
+            scan_id (string): ID of the scan associated with the event.
             event_data (string): String or bytes from a virus event.
             quarantine_id (varint): ID associated with the quarantined virus.
             still_infected (boolean): Whether the system is still infected.

dissect/target/plugins/apps/browser/browser.py

@@ -19,15 +19,15 @@
     ("path", "path"),
     ("uri", "url"),
     ("filesize", "size"),
-    ("varint", "state"),
+    ("string", "state"),
     ("path", "source"),
 ]
 
 GENERIC_EXTENSION_RECORD_FIELDS = [
     ("datetime", "ts_install"),
     ("datetime", "ts_update"),
     ("string", "browser"),
-    ("string", "id"),
+    ("string", "extension_id"),
     ("string", "name"),
     ("string", "short_name"),
     ("string", "default_title"),
@@ -58,14 +58,14 @@
 GENERIC_HISTORY_RECORD_FIELDS = [
     ("datetime", "ts"),
     ("string", "browser"),
-    ("string", "id"),
+    ("varint", "id"),
     ("uri", "url"),
     ("string", "title"),
     ("string", "description"),
     ("string", "rev_host"),
     ("varint", "visit_type"),
     ("varint", "visit_count"),
-    ("string", "hidden"),
+    ("boolean", "hidden"),
     ("string", "typed"),
     ("varint", "session"),
     ("varint", "from_visit"),

dissect/target/plugins/apps/browser/chromium.py

@@ -71,6 +71,16 @@
 """
 c_elevation = cstruct(endian="<").load(elevation_def)
 
+# Resources:
+# - https://github.com/chromium/chromium/blob/main/components/download/public/common/download_item.h
+DOWNLOAD_STATES = {
+    0: "in_progress",
+    1: "complete",
+    2: "cancelled",
+    3: "interrupted",
+    4: "interrupted",  # Older versions of Chromium can have DownloadState value 4 as interrupted.
+}
+
 
 class ChromiumMixin:
     """Mixin class with methods for Chromium-based browsers."""
@@ -363,6 +373,10 @@ def downloads(self, browser_name: str | None = None) -> Iterator[BrowserDownload
                         url = download_chain[-1].url
                         url = try_idna(url)
 
+                    # https://github.com/chromium/chromium/blob/main/components/download/public/common/download_item.h
+                    if state := row.get("state"):
+                        state = DOWNLOAD_STATES.get(state)
+
                     yield self.BrowserDownloadRecord(
                         ts_start=webkittimestamp(row.start_time),
                         ts_end=webkittimestamp(row.end_time) if row.end_time else None,
@@ -374,7 +388,7 @@ def downloads(self, browser_name: str | None = None) -> Iterator[BrowserDownload
                         url=url,
                         size=row.get("total_bytes"),
                         mime_type=row.get("mime_type"),
-                        state=row.get("state"),
+                        state=state,
                         source=db_file,
                         _target=self.target,
                         _user=user.user,
@@ -453,7 +467,7 @@ def extensions(self, browser_name: str | None = None) -> Iterator[BrowserExtensi
                             ts_install=ts_install,
                             ts_update=ts_update,
                             browser=browser_name,
-                            id=extension_id,
+                            extension_id=extension_id,
                             name=name,
                             short_name=short_name,
                             default_title=default_title,
@@ -643,7 +657,7 @@ def decryption_keys(self, local_state_path: TargetPath, username: str) -> Chromi
                         cipher = ChaCha20_Poly1305.new(key=key, nonce=data.iv)
 
                     else:
-                        raise ValueError("Unsupported ElevationService key flag {data.flag!r}")  # noqa: TRY301
+                        raise ValueError(f"Unsupported ElevationService key flag {data.flag!r}")  # noqa: TRY301
 
                     aes_key = cipher.decrypt_and_verify(data.ciphertext, data.mac_tag)
 

dissect/target/plugins/apps/browser/firefox.py

@@ -403,7 +403,7 @@ def extensions(self) -> Iterator[BrowserExtensionRecord]:
                         ts_install=from_unix_ms(extension.get("installDate", 0)),
                         ts_update=from_unix_ms(extension.get("updateDate", 0)),
                         browser="firefox",
-                        id=extension.get("id"),
+                        extension_id=extension.get("id"),
                         name=(extension.get("defaultLocale", {}) or {}).get("name"),
                         short_name=None,
                         default_title=None,

dissect/target/plugins/apps/vpn/wireguard.py

@@ -24,8 +24,8 @@
         ("string", "private_key"),
         ("varint", "listen_port"),
         ("string", "fw_mark"),
-        ("string", "dns"),
-        ("varint", "table"),
+        ("net.ipaddress[]", "dns"),
+        ("string", "table"),
         ("varint", "mtu"),
         ("string", "preup"),
         ("string", "postup"),
@@ -55,6 +55,7 @@ class WireGuardPlugin(Plugin):
     References:
         - https://manpages.debian.org/testing/wireguard-tools/wg.8.en.html#CONFIGURATION_FILE_FORMAT
         - https://github.com/pirate/wireguard-docs
+        - https://wiresock.net/documentation/wireguard/config.html
     """
 
     __namespace__ = "wireguard"
@@ -121,7 +122,7 @@ def config(self) -> Iterator[WireGuardInterfaceRecord | WireGuardPeerRecord]:
                         listen_port=config_dict("ListenPort"),
                         private_key=config_dict("PrivateKey"),
                         fw_mark=config_dict("FwMark"),
-                        dns=config_dict("DNS"),
+                        dns=[ip.strip() for ip in config_dict("DNS").split(",")] if config_dict("DNS") else None,
                         table=config_dict("Table"),
                         mtu=config_dict("MTU"),
                         preup=config_dict("PreUp"),

dissect/target/plugins/filesystem/ntfs/usnjrnl.py

@@ -17,7 +17,7 @@
     [
         ("datetime", "ts"),
         ("varint", "usn"),
-        ("string", "segment"),
+        ("string", "segment_id"),
         ("path", "path"),
         ("string", "reason"),
         ("uint32", "security_id"),
@@ -82,13 +82,13 @@ def usnjrnl(self) -> Iterator[UsnjrnlRecord]:
                     segment = segment_reference(record.record.FileReferenceNumber)
                     yield UsnjrnlRecord(
                         ts=ts,
-                        segment=f"{segment}#{record.FileReferenceNumber.SequenceNumber}",
-                        path=self.target.fs.path(path),
                         usn=record.Usn,
+                        segment_id=f"{segment}#{record.FileReferenceNumber.SequenceNumber}",
+                        path=self.target.fs.path(path),
                         reason=str(record.Reason).replace("USN_REASON.", ""),
-                        attr=str(record.FileAttributes).replace("FILE_ATTRIBUTE.", ""),
-                        source=str(record.SourceInfo).replace("USN_SOURCE.", ""),
                         security_id=record.SecurityId,
+                        source=str(record.SourceInfo).replace("USN_SOURCE.", ""),
+                        attr=str(record.FileAttributes).replace("FILE_ATTRIBUTE.", ""),
                         major=record.MajorVersion,
                         minor=record.MinorVersion,
                         _target=target,

dissect/target/plugins/os/unix/linux/sockets.py

@@ -18,7 +18,7 @@
     from dissect.target.target import Target
 
 NetSocketRecord = TargetRecordDescriptor(
-    "linux/proc/sockets",
+    "linux/proc/socket/net",
     [
         ("string", "protocol"),
         ("uint32", "rx_queue"),
@@ -37,11 +37,11 @@
 )
 
 UnixSocketRecord = TargetRecordDescriptor(
-    "linux/proc/sockets",
+    "linux/proc/socket/unix",
     [
         ("string", "protocol"),
         ("uint32", "ref"),
-        ("string", "flags"),
+        ("string", "socket_flags"),
         ("string", "type"),
         ("string", "state"),
         ("uint32", "inode"),
@@ -50,17 +50,17 @@
 )
 
 PacketSocketRecord = TargetRecordDescriptor(
-    "linux/proc/sockets",
+    "linux/proc/socket/packet",
     [
         ("string", "protocol"),
         ("string", "protocol_type"),
-        ("string", "sk"),
+        ("uint32", "socket_type"),
+        ("uint32", "sk"),
         ("uint32", "ref"),
-        ("uint32", "type"),
         ("uint32", "iface"),
         ("uint32", "r"),
         ("uint32", "rmem"),
-        ("uint32", "user"),
+        ("uint32", "uid"),
         ("string", "owner"),
         ("uint32", "inode"),
         ("uint32", "pid"),
@@ -93,14 +93,14 @@ def packet(self) -> Iterator[PacketSocketRecord]:
 
             hostname (string): The target hostname.
             domain (string): The target domain.
-            protocol (int): The captured protocol i.e. 0003 is ETH_P_ALL
-            protocol_type (str): The canonical name of the captured protocol.
-            sk (string): The socket number.
-            type (int): The integer type of the socket (packet).
+            protocol (str): packet.
+            protocol_type (str): The canonical name of the captured protocol i.e. ETH_P_ALL.
+            socket_type (int): The integer type of the socket (packet).
+            sk (int): The socket number.
             iface (int): The interface index of the socket.
             r (int): The number of bytes that have been received by the socket and are waiting to be processed.
             rmem (int): The size of the receive buffer for the socket.
-            user (int): The user ID of the process that created the socket.
+            uid (int): The user ID of the process that created the socket.
             inode (int): The inode associated to the socket.
             pid (int): The pid associated with this socket.
             name (string): The process name associated to this socket.
@@ -120,7 +120,7 @@ def unix(self) -> Iterator[UnixSocketRecord]:
             hostname (string): The target hostname.
             domain (string): The target domain.
             protocol (string): The protocol used by the socket.
-            flags (bytes): The flags associated with the socket.
+            socket_flags (bytes): The flags associated with the socket.
             type (string): The stream type of the socket.
             state (string): The state of the socket.
             inode (int): The inode associated to the socket.
@@ -210,7 +210,7 @@ def _generate_unix_socket_record(self, data: UnixSocket) -> UnixSocketRecord:
         return UnixSocketRecord(
             protocol=data.protocol_string,
             ref=data.ref,
-            flags=data.flags,
+            socket_flags=data.flags,
             type=data.stream_type_string,
             state=data.state_string,
             inode=data.inode,
@@ -222,13 +222,13 @@ def _generate_packet_socket_record(self, data: PacketSocket) -> PacketSocketReco
         return PacketSocketRecord(
             protocol=data.protocol_string,
             protocol_type=data.protocol_type,
+            socket_type=data.type,
             sk=data.sk,
             ref=data.ref,
-            type=data.type,
             iface=data.iface,
             r=data.r,
             rmem=data.rmem,
-            user=data.user,
+            uid=data.user,
             inode=data.inode,
             pid=data.pid,
             name=data.name,