:py:mod:`dissect.target.plugins.os.windows.everything.parser` ============================================================= .. py:module:: dissect.target.plugins.os.windows.everything.parser Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.everything.parser.EverythingVarInt dissect.target.plugins.os.windows.everything.parser.EverythingFSType dissect.target.plugins.os.windows.everything.parser.Record dissect.target.plugins.os.windows.everything.parser.EverythingIndexObj dissect.target.plugins.os.windows.everything.parser.EverythingDB Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.windows.everything.parser.version_match dissect.target.plugins.os.windows.everything.parser.filesystems_cstruct dissect.target.plugins.os.windows.everything.parser.read_varint dissect.target.plugins.os.windows.everything.parser.write_varint dissect.target.plugins.os.windows.everything.parser.parse_folder dissect.target.plugins.os.windows.everything.parser.read_truncated_name dissect.target.plugins.os.windows.everything.parser.parse_folders dissect.target.plugins.os.windows.everything.parser.parse_files Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.everything.parser.BZIP_HEADER dissect.target.plugins.os.windows.everything.parser.FILE_MAGIC dissect.target.plugins.os.windows.everything.parser.COMPAT_1 dissect.target.plugins.os.windows.everything.parser.log dissect.target.plugins.os.windows.everything.parser.c_header_def dissect.target.plugins.os.windows.everything.parser.c_header .. py:data:: BZIP_HEADER :value: b'BZh9' .. py:data:: FILE_MAGIC :value: b'ESDb' .. py:data:: COMPAT_1 :value: (1, 7, 9) .. py:data:: log .. py:class:: EverythingVarInt Bases: :py:obj:`int`, :py:obj:`dissect.cstruct.BaseType` int([x]) -> integer int(x, base=10) -> integer Convert a number or string to an integer, or return 0 if no arguments are given. If x is a number, return x.__int__(). For floating point numbers, this truncates towards zero. If x is not a number or if base is given, then x must be a string, bytes, or bytearray instance representing an integer literal in the given base. The literal can be preceded by '+' or '-' and be surrounded by whitespace. The base defaults to 10. Valid bases are 0 and 2-36. Base 0 means to interpret the base from the string as an integer literal. >>> int('0b100', base=0) 4 .. py:data:: c_header_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ flag EntryAttributes : uint32_t { has_file_size = 1, has_date_created = 2, has_date_modified = 4, has_date_accessed = 8, has_attributes = 16, has_folder_size = 32 }; struct everything_db_header { // Note - File header may be equal to `BZIP_HEADER`. In this case, file must be handled as a bzip compressed file char magic[4]; // Version uint16_t version_patch; uint8_t version_minor; uint8_t version_major; // Flags EntryAttributes entry_attributes; uint32_t number_of_folders; uint32_t number_of_files; EverythingVarInt number_of_filesystems; }; """ .. raw:: html
.. py:data:: c_header .. py:function:: version_match(stmt: str, cond: bool) -> str Used for easy filtering of version constraints in cstruct definitions .. py:function:: filesystems_cstruct(version: tuple[int, int, int]) -> dissect.cstruct.cstruct .. py:class:: EverythingFSType Bases: :py:obj:`enum.IntEnum` Enum where members are also (and must be) ints .. py:attribute:: NTFS :value: 0 .. py:attribute:: EFU :value: 1 .. py:attribute:: FOLDER :value: 2 .. py:attribute:: REFS :value: 3 .. py:class:: Record .. py:attribute:: file_path :type: str .. py:attribute:: size :type: int .. py:attribute:: date_created :type: datetime.datetime | None .. py:attribute:: date_modified :type: datetime.datetime | None .. py:attribute:: date_accessed :type: datetime.datetime | None .. py:attribute:: attributes :type: int | None .. py:attribute:: file_type :type: str .. py:class:: EverythingIndexObj .. py:attribute:: fs_index :type: int | None :value: None .. py:attribute:: file_path :value: None .. py:attribute:: parent_index :value: None .. py:attribute:: size :value: None .. py:attribute:: date_created :value: None .. py:attribute:: date_modified :value: None .. py:attribute:: date_accessed :value: None .. py:attribute:: attributes :value: None .. py:method:: resolve_path(folder_list: list) -> str .. py:method:: resolve_fs(folder_list: list) -> int | None .. py:class:: EverythingDB(fh: BinaryIO) .. py:attribute:: fh .. py:attribute:: header .. py:attribute:: version .. py:attribute:: c_filesystems .. py:attribute:: filesystems :value: [] .. py:method:: __repr__() -> str .. py:method:: __iter__() -> collections.abc.Iterator[Record] .. py:function:: read_varint(stream: BinaryIO) -> int Read an ``uint8``, if it's equal to ``0xFF``, read the next 4 bytes as an ``int32``. In decompiled-ish code: .. code-block:: c int v1; LOBYTE(v1) = read(fd, 1); if ( (_BYTE)v1 == 0xFF ) v1 = read(fd, 4); else v1 = (unsigned __int8)v1; .. py:function:: write_varint(data: int) -> bytes .. py:function:: parse_folder(db: EverythingDB, folder: EverythingIndexObj, name: str) -> None .. py:function:: read_truncated_name(fh: BinaryIO, current_buf: bytes = b'') -> bytes Read a string stored in the format used by the database. If you have called this function before, you *must* pass the previous result to `current_buf`. Explanation: Everything has an "Optimization", where it saves all the basenames of the folders (and files) to the disk alphabetically. This allows them to reuse similar filename buffers. For example, if two folders in the filesystem are named "AAA" and "ABCD", (and are alphabetically consecutive) then the first file will have data "AAA", with a `new_byte_count` of 3, and the second file will have a `new_byte_count` of 3 (length of "BCD"), and a `trunc_from_prev` of 3, thereby telling us to remove the last 3 bytes of the previous buffer, and saving space. The same thing happens later on when parsing filenames .. py:function:: parse_folders(db: EverythingDB, folder_list: list[EverythingIndexObj]) -> collections.abc.Iterator[Record] .. py:function:: parse_files(db: EverythingDB, folder_list: list[EverythingIndexObj]) -> collections.abc.Iterator[Record]