Closed JSCU-CNI closed 3 weeks ago
Thanks for the review @Schamper. We've implemented the review feedback in https://github.com/fox-it/dissect.target/pull/711/commits/fde58ae91aaeeb1adba73c32e27d939cadee05ba. Test coverage should now be better. See the commit message for the other stuff we changed.
Is this PR good to go? :)
I'm still a little bit torn on the keyprovider thing. I don't think it's reasonable to implement a proper solution in this PR, so I'm willing to have a temporary one instead, but I'd at least want to make the InternalNamespacePlugin
to actually work, or if that's a bit difficult, at least have all the keyprovider plugins actually be internal only.
For reference, the idea I was leaning towards the most as a proper solution to this was nested namespaces, but that will take a smidge more work 😅. I'm a bit swamped the coming days, so if you're not willing to wait on my solution to the internal namespace stuff, feel free to have a go at it.
Another idea I had was a fancy "target keychain" that you can plug "password/key material providers" into. For example, also dump password databases into it. But I'm not sure if there's actually a real use case for that outside of this specific one. So I don't think that's a good way to go.
I've made a few changes, let me know if those work for you @JSCU-CNI.
Unfortunately target-query -l
is horribly broken with these changes, but that's because that code is littered with bugs and it's almost impossible to track down where and what exactly breaks. Probably most of that is already resolved with https://github.com/fox-it/dissect.target/pull/763, and otherwise it will be picked up in that PR anyway. Sorry in the meantime @Zawadidone :wink:.
Attention: Patch coverage is 86.19529%
with 41 lines
in your changes missing coverage. Please review.
Project coverage is 75.59%. Comparing base (
ce1e994
) to head (adfc834
). Report is 1 commits behind head on main.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
I've made a few changes, let me know if those work for you @JSCU-CNI.
That looks like a neat solution, thanks. I guess we can update the namespaces to dpapi.keyprovider.*
once nested namespaces are fixed?
Unfortunately target-query -l is horribly broken with these changes, but that's because that code is littered with bugs and it's almost impossible to track down where and what exactly breaks.
Is that blocking for now? I can see that get_all_records
is listed, which looks like the only faulty behaviour to me.
That looks like a neat solution, thanks. I guess we can update the namespaces to
dpapi.keyprovider.*
once nested namespaces are fixed?
Yes.
Is that blocking for now? I can see that
get_all_records
is listed, which looks like the only faulty behaviour to me.
No, not blocking. I'd prefer #763 instead of trying to fix this. There were some other things broken as well, but it doesn't really matter :smile:.
That should fix the tests.
This PR improves several DPAPI related features:
dissect.target.plugins.os.windows.credential
_SHA256
identifier (0x800C
instead of0x8004
)The latter "dpapi provider" feature is experimental and we are keen to discuss a better
InternalNamespacePlugin
implementation.