Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tasks plugin and rdump --multi-timestamp #99

Closed
l3fdb33f opened this issue Dec 8, 2023 · 2 comments · Fixed by fox-it/dissect.target#486
Closed

tasks plugin and rdump --multi-timestamp #99

l3fdb33f opened this issue Dec 8, 2023 · 2 comments · Fixed by fox-it/dissect.target#486
Assignees
@yunzheng

Comments

@l3fdb33f
Copy link

l3fdb33f commented Dec 8, 2023

Hi, I'm currently not able to use the --multi-timestamp argument with the output of target-query the tasks plugin:

target-query -f tasks SysInternalsCase.E01 | rdump --multi-timestamp
[reading from stdin]
2023-12-08T20:08:25.193255Z [warning  ] <Target SysInternalsCase.E01>: Can't identify volume system or no volumes found, adding as raw volume instead: <EwfContainer size=42947575808 vs=None> [dissect.target.target]
Traceback (most recent call last):
  File "/home/duarte/.local/bin/rdump", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/utils.py", line 57, in wrapper
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/tools/rdump.py", line 229, in main
    for record in iter_timestamped_records(rec):
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 1032, in iter_timestamped_records
    record = extend_record(ts_record, [record], name=record_name)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 971, in extend_record
    return ExtendedRecord.init_from_dict(collections.ChainMap(*kv_maps))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 546, in init_from_dict
    return self.recordType(**rdict)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "<string>", line 101, in __init__
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 154, in __setattr__
    v = field_type(v)
        ^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 10: 'true'

I think this has something to do with the TasksRecords and not GroupRecords. I have used target-dump with tasks and this error only appears with filesystem_windows_task.jsonl, not in filesystem_windows_task_grouped.jsonl:

rdump --multi-timestamp MSEDGEWIN10/tasks/filesystem_windows_task.jsonl
Traceback (most recent call last):
  File "/home/duarte/.local/bin/rdump", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/utils.py", line 57, in wrapper
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/tools/rdump.py", line 229, in main
    for record in iter_timestamped_records(rec):
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 1032, in iter_timestamped_records
    record = extend_record(ts_record, [record], name=record_name)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 971, in extend_record
    return ExtendedRecord.init_from_dict(collections.ChainMap(*kv_maps))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 546, in init_from_dict
    return self.recordType(**rdict)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "<string>", line 101, in __init__
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 154, in __setattr__
    v = field_type(v)
        ^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 10: 'true'
@yunzheng yunzheng self-assigned this Dec 11, 2023
@yunzheng
Copy link
Member

I've been able to trace back the issue to https://github.com/fox-it/dissect.target/blob/688dcb965084f268ef4515c0c7b76f0908714ed3/dissect/target/plugins/os/windows/tasks.py#L45 where allow_start_on_demand is declared twice. Once as boolean, and once as string.

yunzheng added a commit to fox-it/dissect.target that referenced this issue Dec 19, 2023
@yunzheng
Remove duplicate field in TaskRecord
c09fcfd 
This fixes fox-it/flow.record#99 when used with rdump --multi-timestamp
@yunzheng yunzheng mentioned this issue Dec 19, 2023
Merged
@l3fdb33f
Copy link
Author

Awesome, thank you so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yunzheng yunzheng

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove duplicate field in TaskRecord fox-it/dissect.target
2 participants
@yunzheng @l3fdb33f