dissect.target.plugins.os.windows.datetime

Module Contents

Classes

WindowsTimezone	A datetime.tzinfo class representing a timezone from parsed Windows TZI data.
DateTimePlugin	Base class for plugins.

Functions

parse_systemtime_transition	Return the transition datetime for a given year using the SYSTEMTIME of a STD or DST transition date.
parse_dynamic_dst	Parse dynamic DST information from a given TimeZoneInformation registry key.
parse_tzi	Parse binary TZI into a TimezoneInformation namedtuple.
get_dst_range	Get the start and end date of DST for the given year.

Attributes

tz_def
c_tz
SundayFirstCalendar
TimezoneInformation
ZERO
HOUR

dissect.target.plugins.os.windows.datetime.tz_def = Multiline-String

Show Value

"""
typedef struct _SYSTEMTIME {
    WORD wYear;
    WORD wMonth;
    WORD wDayOfWeek;
    WORD wDay;
    WORD wHour;
    WORD wMinute;
    WORD wSecond;
    WORD wMilliseconds;
} SYSTEMTIME;

typedef struct _REG_TZI_FORMAT {
    LONG Bias;
    LONG StandardBias;
    LONG DaylightBias;
    SYSTEMTIME StandardDate;
    SYSTEMTIME DaylightDate;
} REG_TZI_FORMAT;
"""

dissect.target.plugins.os.windows.datetime.c_tz

dissect.target.plugins.os.windows.datetime.SundayFirstCalendar

dissect.target.plugins.os.windows.datetime.TimezoneInformation

dissect.target.plugins.os.windows.datetime.ZERO

dissect.target.plugins.os.windows.datetime.HOUR

dissect.target.plugins.os.windows.datetime.parse_systemtime_transition(systemtime: dissect.cstruct.Instance, year: int) → datetime.datetime

Return the transition datetime for a given year using the SYSTEMTIME of a STD or DST transition date.

The SYSTEMTIME date of a TZI structure needs to be used to calculate the actual date for a given year. The wMonth member indicates the month, the wDayOfWeek member indicates the weekday and the wDay indicates the occurance of the day of the week within the month (1 to 5, where 5 indicates the final occurrence during the month if that day of the week does not occur 5 times).

Reference:

• https://docs.microsoft.com/en-us/windows/win32/api/timezoneapi/ns-timezoneapi-time_zone_information

dissect.target.plugins.os.windows.datetime.parse_dynamic_dst(key: dissect.target.helpers.regutil.RegistryKey) → Dict[int, TimezoneInformation]

Parse dynamic DST information from a given TimeZoneInformation registry key.

If a timezone has dynamic DST information, there’s a “Dynamic DST” subkey with values for each year. The FirstEntry and LastEntry contain the first and last year respectively. The TZI structure is the same as the main TimeZoneInformation TZI.

dissect.target.plugins.os.windows.datetime.parse_tzi(tzi: bytes) → TimezoneInformation

Parse binary TZI into a TimezoneInformation namedtuple.

dissect.target.plugins.os.windows.datetime.get_dst_range(tzi: TimezoneInformation, year: int) → Tuple[datetime.datetime, datetime.datetime]

Get the start and end date of DST for the given year.

class dissect.target.plugins.os.windows.datetime.WindowsTimezone(name: str, key: dissect.target.helpers.regutil.RegistryKey)

Bases: datetime.tzinfo

A datetime.tzinfo class representing a timezone from parsed Windows TZI data.

Mostly inspired by the examples in the Python documentation.

__repr__() → str

Return repr(self).

is_dst(dt: datetime.datetime) → bool

utcoffset(dt: datetime.datetime) → int

datetime -> timedelta, positive for east of UTC, negative for west of UTC

dst(dt: datetime.datetime) → datetime.timedelta

datetime -> DST offset as timedelta, positive for east of UTC.

Return 0 if DST not in effect. utcoffset() must include the DST offset.

tzname(dt: datetime.datetime) → str

datetime -> string name of time zone.

class dissect.target.plugins.os.windows.datetime.DateTimePlugin(target)

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

• __namespace__

• __record_descriptors__

With the following three being assigned in register():

• __plugin__

• __functions__

• __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

• __exported__

• __output__: Set with the export() decorator.

• __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

__namespace__ = 'datetime'

check_compatible()

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

tz(name: str) → datetime.tzinfo

Return a datetime.tzinfo of the given timezone name.

tzinfo() → datetime.tzinfo

Return a datetime.tzinfo of the current system timezone.

local(dt: datetime.datetime) → datetime.datetime

Replace the tzinfo of a given datetime.datetime object with the current system tzinfo without conversion.

to_utc(dt: datetime.datetime) → datetime.datetime

Convert any datetime.datetime object into a UTC datetime.datetime object.

First replaces the current tzinfo with the system tzinfo without conversion, then converts it to an aware UTC datetime object.