dissect.target.plugins.filesystem.walkfs

Module Contents

Classes

WalkFsPlugin

Filesystem agnostic walkfs plugin.

Functions

generate_record

Generate a WalkFsRecord from the given FilesystemEntry.

Attributes

FilesystemRecord

dissect.target.plugins.filesystem.walkfs.FilesystemRecord

class dissect.target.plugins.filesystem.walkfs.WalkFsPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Filesystem agnostic walkfs plugin.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

walkfs(walkfs_path: str = '/', capability: bool = False) → collections.abc.Iterator[FilesystemRecord]

Walk a target’s filesystem and return all filesystem entries.

References

• https://man7.org/linux/man-pages/man2/lstat.2.html

• https://man7.org/linux/man-pages/man7/inode.7.html

• https://man7.org/linux/man-pages/man7/xattr.7.html

• https://man7.org/linux/man-pages/man2/execve.2.html

• https://steflan-security.com/linux-privilege-escalation-suid-binaries

• https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h

Yields FilesystemRecords for every filesystem entry and CapabilityRecords if xattr security attributes were found in the filesystem entry and the --capability flag is set.

hostname (string): The target hostname.
domain (string): The target domain.
mtime (datetime): modified timestamp indicates the last time the contents of a file were modified.
atime (datetime): access timestamp indicates the last time a file was accessed.
ctime (datetime): changed timestamp indicates the last time metadata of a file was modified.
btime (datetime): birth timestamp indicates the time when a file was created.
ino (varint): number of the corresponding underlying filesystem inode.
path (path): path location of the entry.
size (filesize): size of the file in bytes on the filesystem.
mode (uint32): contains the file type and mode.
uid (uint32): the user id of the owner of the entry.
gid (uint32): the group id of the owner of the entry.
is_suid (boolean): denotes if the entry has the set-user-id bit set.
attr (string[]): list of key-value pair attributes separated by '='.
fs_types (string[]): list of filesystem type(s) of the entry.

dissect.target.plugins.filesystem.walkfs.generate_record(target: dissect.target.target.Target, entry: dissect.target.filesystem.FilesystemEntry, capability: bool) → collections.abc.Iterator[FilesystemRecord]

Generate a WalkFsRecord from the given FilesystemEntry.

Parameters:

• target – Target instance

• entry – FilesystemEntry instance

Returns:

Generator of FilesystemRecord for the given FilesystemEntry.