From e08c0d01c258720d020073dd2f87b3369b0bff8d Mon Sep 17 00:00:00 2001 From: Stefan de Reuver <9864602+Horofic@users.noreply.github.com> Date: Thu, 19 Dec 2024 11:45:24 +0000 Subject: [PATCH 1/5] Make Mssql errorlog plugin more robust --- dissect/target/plugins/os/windows/log/mssql.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/dissect/target/plugins/os/windows/log/mssql.py b/dissect/target/plugins/os/windows/log/mssql.py index d56b19971..55f0a0d64 100644 --- a/dissect/target/plugins/os/windows/log/mssql.py +++ b/dissect/target/plugins/os/windows/log/mssql.py @@ -35,7 +35,7 @@ class MssqlPlugin(Plugin): __namespace__ = "mssql" - MSSQL_KEY = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server" + MSSQL_KEY_GLOB = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQL*" FILE_GLOB = "ERRORLOG*" def __init__(self, target: Target): @@ -44,7 +44,7 @@ def __init__(self, target: Target): def check_compatible(self) -> None: if not self.instances: - raise UnsupportedPluginError("System does not seem to be running SQL Server") + raise UnsupportedPluginError("No Microsoft SQL Server instances have been found.") @export(record=MssqlErrorlogRecord) def errorlog(self) -> Iterator[MssqlErrorlogRecord]: @@ -89,12 +89,12 @@ def errorlog(self) -> Iterator[MssqlErrorlogRecord]: buf += line - def _find_instances(self) -> list[str, TargetPath]: - instances = [] + def _find_instances(self) -> set[str, TargetPath]: + instances: set = set() - for subkey in self.target.registry.key(self.MSSQL_KEY).subkeys(): - if subkey.name.startswith("MSSQL") and "." in subkey.name: - instances.append( + for subkey in self.target.registry.glob_ext(self.MSSQL_KEY_GLOB): + if "." in subkey.name: + instances.add( ( subkey.name, self.target.fs.path(subkey.subkey("SQLServerAgent").value("ErrorLogFile").value).parent, From 6d06fa7e1ad1d2ff66f6dd8b90b5fa95e931f64c Mon Sep 17 00:00:00 2001 From: Stefan de Reuver <9864602+Horofic@users.noreply.github.com> Date: Thu, 19 Dec 2024 14:55:03 +0100 Subject: [PATCH 2/5] Update dissect/target/plugins/os/windows/log/mssql.py Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com> --- dissect/target/plugins/os/windows/log/mssql.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dissect/target/plugins/os/windows/log/mssql.py b/dissect/target/plugins/os/windows/log/mssql.py index 55f0a0d64..39dd86aed 100644 --- a/dissect/target/plugins/os/windows/log/mssql.py +++ b/dissect/target/plugins/os/windows/log/mssql.py @@ -90,7 +90,7 @@ def errorlog(self) -> Iterator[MssqlErrorlogRecord]: buf += line def _find_instances(self) -> set[str, TargetPath]: - instances: set = set() + instances = set() for subkey in self.target.registry.glob_ext(self.MSSQL_KEY_GLOB): if "." in subkey.name: From 70c037bdcb4e0e3946d8a18783c4e6b2dde44ddd Mon Sep 17 00:00:00 2001 From: Stefan de Reuver <9864602+Horofic@users.noreply.github.com> Date: Thu, 19 Dec 2024 14:55:08 +0100 Subject: [PATCH 3/5] Update dissect/target/plugins/os/windows/log/mssql.py Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com> --- dissect/target/plugins/os/windows/log/mssql.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dissect/target/plugins/os/windows/log/mssql.py b/dissect/target/plugins/os/windows/log/mssql.py index 39dd86aed..2ae5ab29f 100644 --- a/dissect/target/plugins/os/windows/log/mssql.py +++ b/dissect/target/plugins/os/windows/log/mssql.py @@ -44,7 +44,7 @@ def __init__(self, target: Target): def check_compatible(self) -> None: if not self.instances: - raise UnsupportedPluginError("No Microsoft SQL Server instances have been found.") + raise UnsupportedPluginError("No Microsoft SQL Server instances have been found") @export(record=MssqlErrorlogRecord) def errorlog(self) -> Iterator[MssqlErrorlogRecord]: From 913286903cd9f11b2a6a57ce42cb5ecb858d158e Mon Sep 17 00:00:00 2001 From: Stefan de Reuver <9864602+Horofic@users.noreply.github.com> Date: Fri, 20 Dec 2024 14:04:46 +0000 Subject: [PATCH 4/5] Adjust regf glob to account for dot before instance name --- dissect/target/plugins/os/windows/log/mssql.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/dissect/target/plugins/os/windows/log/mssql.py b/dissect/target/plugins/os/windows/log/mssql.py index 2ae5ab29f..8ae5b1a7a 100644 --- a/dissect/target/plugins/os/windows/log/mssql.py +++ b/dissect/target/plugins/os/windows/log/mssql.py @@ -35,7 +35,7 @@ class MssqlPlugin(Plugin): __namespace__ = "mssql" - MSSQL_KEY_GLOB = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQL*" + MSSQL_KEY_GLOB = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQL*.*" FILE_GLOB = "ERRORLOG*" def __init__(self, target: Target): @@ -93,11 +93,10 @@ def _find_instances(self) -> set[str, TargetPath]: instances = set() for subkey in self.target.registry.glob_ext(self.MSSQL_KEY_GLOB): - if "." in subkey.name: - instances.add( - ( - subkey.name, - self.target.fs.path(subkey.subkey("SQLServerAgent").value("ErrorLogFile").value).parent, - ) + instances.add( + ( + subkey.name, + self.target.fs.path(subkey.subkey("SQLServerAgent").value("ErrorLogFile").value).parent, ) + ) return instances From 2fa52c89b34068223dc86234f76edf7de6af2bbf Mon Sep 17 00:00:00 2001 From: Stefan de Reuver <9864602+Horofic@users.noreply.github.com> Date: Thu, 2 Jan 2025 09:47:17 +0000 Subject: [PATCH 5/5] Create set comprehension --- dissect/target/plugins/os/windows/log/mssql.py | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/dissect/target/plugins/os/windows/log/mssql.py b/dissect/target/plugins/os/windows/log/mssql.py index 8ae5b1a7a..0ce1eaba3 100644 --- a/dissect/target/plugins/os/windows/log/mssql.py +++ b/dissect/target/plugins/os/windows/log/mssql.py @@ -90,13 +90,7 @@ def errorlog(self) -> Iterator[MssqlErrorlogRecord]: buf += line def _find_instances(self) -> set[str, TargetPath]: - instances = set() - - for subkey in self.target.registry.glob_ext(self.MSSQL_KEY_GLOB): - instances.add( - ( - subkey.name, - self.target.fs.path(subkey.subkey("SQLServerAgent").value("ErrorLogFile").value).parent, - ) - ) - return instances + return { + (subkey.name, self.target.fs.path(subkey.subkey("SQLServerAgent").value("ErrorLogFile").value).parent) + for subkey in self.target.registry.glob_ext(self.MSSQL_KEY_GLOB) + }