search

fox-it / dissect.target

The Dissect module tying all other Dissect modules together. It provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets).
GNU Affero General Public License v3.0
43 stars 44 forks source link

Improve DPAPI plugin #711

Closed JSCU-CNI closed 3 weeks ago

JSCU-CNI commented 4 months ago

This PR improves several DPAPI related features:

The latter "dpapi provider" feature is experimental and we are keen to discuss a better InternalNamespacePlugin implementation.

JSCU-CNI commented 2 months ago

Thanks for the review @Schamper. We've implemented the review feedback in https://github.com/fox-it/dissect.target/pull/711/commits/fde58ae91aaeeb1adba73c32e27d939cadee05ba. Test coverage should now be better. See the commit message for the other stuff we changed.

JSCU-CNI commented 1 month ago

Is this PR good to go? :)

Schamper commented 1 month ago

I'm still a little bit torn on the keyprovider thing. I don't think it's reasonable to implement a proper solution in this PR, so I'm willing to have a temporary one instead, but I'd at least want to make the InternalNamespacePlugin to actually work, or if that's a bit difficult, at least have all the keyprovider plugins actually be internal only.

For reference, the idea I was leaning towards the most as a proper solution to this was nested namespaces, but that will take a smidge more work 😅. I'm a bit swamped the coming days, so if you're not willing to wait on my solution to the internal namespace stuff, feel free to have a go at it.

Another idea I had was a fancy "target keychain" that you can plug "password/key material providers" into. For example, also dump password databases into it. But I'm not sure if there's actually a real use case for that outside of this specific one. So I don't think that's a good way to go.

Schamper commented 1 month ago

I've made a few changes, let me know if those work for you @JSCU-CNI.

Unfortunately target-query -l is horribly broken with these changes, but that's because that code is littered with bugs and it's almost impossible to track down where and what exactly breaks. Probably most of that is already resolved with https://github.com/fox-it/dissect.target/pull/763, and otherwise it will be picked up in that PR anyway. Sorry in the meantime @Zawadidone :wink:.

codecov[bot] commented 1 month ago

Codecov Report

Attention: Patch coverage is 86.19529% with 41 lines in your changes missing coverage. Please review.

Project coverage is 75.59%. Comparing base (ce1e994) to head (adfc834). Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
dissect/target/plugins/os/windows/dpapi/dpapi.py 76.82% 19 Missing :warning:
...issect/target/plugins/os/windows/credential/lsa.py 90.19% 10 Missing :warning:
...target/plugins/os/windows/dpapi/keyprovider/lsa.py 80.95% 4 Missing :warning:
dissect/target/plugins/os/windows/dpapi/crypto.py 91.89% 3 Missing :warning:
...t/plugins/os/windows/dpapi/keyprovider/credhist.py 85.71% 2 Missing :warning:
...issect/target/plugins/os/windows/credential/sam.py 66.66% 1 Missing :warning:
dissect/target/plugins/os/windows/dpapi/blob.py 50.00% 1 Missing :warning:
...sect/target/plugins/os/windows/dpapi/master_key.py 50.00% 1 Missing :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #711 +/- ## ========================================== + Coverage 75.52% 75.59% +0.06% ========================================== Files 305 311 +6 Lines 26363 26540 +177 ========================================== + Hits 19911 20062 +151 - Misses 6452 6478 +26 ``` | [Flag](https://app.codecov.io/gh/fox-it/dissect.target/pull/711/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=fox-it) | Coverage Δ | | |---|---|---| | [unittests](https://app.codecov.io/gh/fox-it/dissect.target/pull/711/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=fox-it) | `75.59% <86.19%> (+0.06%)` | :arrow_up: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=fox-it#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

JSCU-CNI commented 4 weeks ago

I've made a few changes, let me know if those work for you @JSCU-CNI.

That looks like a neat solution, thanks. I guess we can update the namespaces to dpapi.keyprovider.* once nested namespaces are fixed?

Unfortunately target-query -l is horribly broken with these changes, but that's because that code is littered with bugs and it's almost impossible to track down where and what exactly breaks.

Is that blocking for now? I can see that get_all_records is listed, which looks like the only faulty behaviour to me.

Schamper commented 3 weeks ago

That looks like a neat solution, thanks. I guess we can update the namespaces to dpapi.keyprovider.* once nested namespaces are fixed?

Yes.

Is that blocking for now? I can see that get_all_records is listed, which looks like the only faulty behaviour to me.

No, not blocking. I'd prefer #763 instead of trying to fix this. There were some other things broken as well, but it doesn't really matter :smile:.

JSCU-CNI commented 3 weeks ago

That should fix the tests.