dissect.target.plugins.os.windows.everything.parser

Module Contents

Classes

EverythingVarInt	int([x]) -> integer
EverythingFSType	Enum where members are also (and must be) ints
Record
EverythingIndexObj
EverythingDB

Functions

version_match	Used for easy filtering of version constraints in cstruct definitions
filesystems_cstruct
read_varint	Read an uint8, if it's equal to 0xFF, read the next 4 bytes as an int32.
write_varint
parse_folder
read_truncated_name	Read a string stored in the format used by the database.
parse_folders
parse_files

Attributes

BZIP_HEADER
FILE_MAGIC
COMPAT_1
log
c_header_def
c_header

dissect.target.plugins.os.windows.everything.parser.BZIP_HEADER = b'BZh9'

dissect.target.plugins.os.windows.everything.parser.FILE_MAGIC = b'ESDb'

dissect.target.plugins.os.windows.everything.parser.COMPAT_1 = (1, 7, 9)

dissect.target.plugins.os.windows.everything.parser.log

class dissect.target.plugins.os.windows.everything.parser.EverythingVarInt

Bases: int, dissect.cstruct.BaseType

int([x]) -> integer int(x, base=10) -> integer

Convert a number or string to an integer, or return 0 if no arguments are given. If x is a number, return x.__int__(). For floating point numbers, this truncates towards zero.

If x is not a number or if base is given, then x must be a string, bytes, or bytearray instance representing an integer literal in the given base. The literal can be preceded by ‘+’ or ‘-’ and be surrounded by whitespace. The base defaults to 10. Valid bases are 0 and 2-36. Base 0 means to interpret the base from the string as an integer literal. >>> int(‘0b100’, base=0) 4

dissect.target.plugins.os.windows.everything.parser.c_header_def = Multiline-String

Show Value

"""
flag EntryAttributes : uint32_t {
    has_file_size = 1,
    has_date_created = 2,
    has_date_modified = 4,
    has_date_accessed = 8,
    has_attributes = 16,
    has_folder_size = 32
};

struct everything_db_header {
    // Note - File header may be equal to `BZIP_HEADER`. In this case, file must be handled as a bzip compressed file
    char magic[4];

    // Version
    uint16_t version_patch;
    uint8_t version_minor;
    uint8_t version_major;

    // Flags
    EntryAttributes   entry_attributes;

    uint32_t number_of_folders;
    uint32_t number_of_files;
    EverythingVarInt number_of_filesystems;

};
"""

dissect.target.plugins.os.windows.everything.parser.c_header

dissect.target.plugins.os.windows.everything.parser.version_match(stmt: str, cond: bool) → str

Used for easy filtering of version constraints in cstruct definitions

dissect.target.plugins.os.windows.everything.parser.filesystems_cstruct(version: tuple[int, int, int]) → dissect.cstruct.cstruct

class dissect.target.plugins.os.windows.everything.parser.EverythingFSType

Bases: enum.IntEnum

Enum where members are also (and must be) ints

NTFS = 0

EFU = 1

FOLDER = 2

REFS = 3

class dissect.target.plugins.os.windows.everything.parser.Record

file_path: str

size: int

date_created: datetime.datetime | None

date_modified: datetime.datetime | None

date_accessed: datetime.datetime | None

attributes: int | None

file_type: str

class dissect.target.plugins.os.windows.everything.parser.EverythingIndexObj

fs_index: int | None = None

file_path = None

parent_index = None

size = None

date_created = None

date_modified = None

date_accessed = None

attributes = None

resolve_path(folder_list: list) → str

resolve_fs(folder_list: list) → int | None

class dissect.target.plugins.os.windows.everything.parser.EverythingDB(fh: BinaryIO)

fh

header

version

c_filesystems

filesystems = []

__repr__() → str

__iter__() → collections.abc.Iterator[Record]

dissect.target.plugins.os.windows.everything.parser.read_varint(stream: BinaryIO) → int

Read an uint8, if it’s equal to 0xFF, read the next 4 bytes as an int32. In decompiled-ish code: .. code-block:: c

int v1; LOBYTE(v1) = read(fd, 1); if ( (_BYTE)v1 == 0xFF ) v1 = read(fd, 4); else v1 = (unsigned __int8)v1;

dissect.target.plugins.os.windows.everything.parser.write_varint(data: int) → bytes

dissect.target.plugins.os.windows.everything.parser.parse_folder(db: EverythingDB, folder: EverythingIndexObj, name: str) → None

dissect.target.plugins.os.windows.everything.parser.read_truncated_name(fh: BinaryIO, current_buf: bytes = b'') → bytes

Read a string stored in the format used by the database. If you have called this function before, you must pass the previous result to current_buf.

Explanation: Everything has an “Optimization”, where it saves all the basenames of the folders (and files) to the disk alphabetically. This allows them to reuse similar filename buffers. For example, if two folders in the filesystem are named “AAA” and “ABCD”, (and are alphabetically consecutive) then the first file will have data “AAA”, with a new_byte_count of 3, and the second file will have a new_byte_count of 3 (length of “BCD”), and a trunc_from_prev of 3, thereby telling us to remove the last 3 bytes of the previous buffer, and saving space. The same thing happens later on when parsing filenames

dissect.target.plugins.os.windows.everything.parser.parse_folders(db: EverythingDB, folder_list: list[EverythingIndexObj]) → collections.abc.Iterator[Record]

dissect.target.plugins.os.windows.everything.parser.parse_files(db: EverythingDB, folder_list: list[EverythingIndexObj]) → collections.abc.Iterator[Record]