Split runkey path as command components (#688)

* Use command type for runkeys * Enable --hash for command types
fox-it · May 3, 2024 · 90fa8ae · 90fa8ae
1 parent b1bcb0d
commit 90fa8ae
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 7 deletions.
diff --git a/dissect/target/helpers/record_modifier.py b/dissect/target/helpers/record_modifier.py
@@ -62,13 +62,16 @@ def _hash_path_records(field_name: str, resolved_path: TargetPath) -> Record:
 
 def _resolve_path_types(target: Target, record: Record) -> Iterator[tuple[str, TargetPath]]:
     for field_name, field_type in record._field_types.items():
-        if not issubclass(field_type, fieldtypes.path):
+        if not issubclass(field_type, (fieldtypes.path, fieldtypes.command)):
             continue
 
         path = getattr(record, field_name, None)
         if path is None:
             continue
 
+        if isinstance(path, fieldtypes.command):
+            path = path.executable
+
         yield field_name, target.resolve(str(path))
 
 

diff --git a/dissect/target/plugins/os/windows/regf/runkeys.py b/dissect/target/plugins/os/windows/regf/runkeys.py
@@ -1,3 +1,5 @@
+from typing import Iterator
+
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import (
     RegistryRecordDescriptorExtension,
@@ -11,7 +13,7 @@
     [
         ("datetime", "ts"),
         ("wstring", "name"),
-        ("string", "path"),
+        ("command", "command"),
         ("string", "key"),
     ],
 )
@@ -48,7 +50,7 @@ def check_compatible(self) -> None:
             raise UnsupportedPluginError("No registry run key found")
 
     @export(record=RunKeyRecord)
-    def runkeys(self):
+    def runkeys(self) -> Iterator[RunKeyRecord]:
         """Iterate various run key locations. See source for all locations.
 
         Run keys (Run and RunOnce) are registry keys that make a program run when a user logs on. a Run key runs every
@@ -63,7 +65,7 @@ def runkeys(self):
             domain (string): The target domain.
             ts (datetime): The registry key last modified timestamp.
             name (string): The run key name.
-            path (string): The run key path.
+            command (command): The run key command.
             key (string): The source key for this run key.
         """
         for key in self.KEYS:
@@ -73,7 +75,7 @@ def runkeys(self):
                     yield RunKeyRecord(
                         ts=r.ts,
                         name=entry.name,
-                        path=entry.value,
+                        command=entry.value,
                         key=key,
                         _target=self.target,
                         _key=r,

diff --git a/pyproject.toml b/pyproject.toml
@@ -34,7 +34,7 @@ dependencies = [
     "dissect.regf>=3.3.dev,<4.0.dev",
     "dissect.util>=3.0.dev,<4.0.dev",
     "dissect.volume>=3.0.dev,<4.0.dev",
-    "flow.record~=3.14.0",
+    "flow.record~=3.15.0",
     "structlog",
 ]
 dynamic = ["version"]

diff --git a/tests/helpers/test_modifier.py b/tests/helpers/test_modifier.py
@@ -3,7 +3,7 @@
 
 import pytest
 from flow.record import Record
-from flow.record.fieldtypes import digest, path
+from flow.record.fieldtypes import command, digest, path
 
 from dissect.target import Target
 from dissect.target.exceptions import FileNotFoundError, IsADirectoryError
@@ -32,6 +32,7 @@ def resolve_function() -> ModifierFunc:
         ({"name": path}, 2),
         ({"name": path, "test": path}, 3),
         ({"name": path, "test": str}, 2),
+        ({"name": command}, 2),
     ],
 )
 @patch("flow.record.Record")