tasks plugin and rdump --multi-timestamp
Closed this issue · 2 comments
l3fdb33f commented
Hi, I'm currently not able to use the --multi-timestamp argument with the output of target-query the tasks plugin:
target-query -f tasks SysInternalsCase.E01 | rdump --multi-timestamp
[reading from stdin]
2023-12-08T20:08:25.193255Z [warning ] <Target SysInternalsCase.E01>: Can't identify volume system or no volumes found, adding as raw volume instead: <EwfContainer size=42947575808 vs=None> [dissect.target.target]
Traceback (most recent call last):
File "/home/duarte/.local/bin/rdump", line 8, in <module>
sys.exit(main())
^^^^^^
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/utils.py", line 57, in wrapper
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/tools/rdump.py", line 229, in main
for record in iter_timestamped_records(rec):
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 1032, in iter_timestamped_records
record = extend_record(ts_record, [record], name=record_name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 971, in extend_record
return ExtendedRecord.init_from_dict(collections.ChainMap(*kv_maps))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 546, in init_from_dict
return self.recordType(**rdict)
^^^^^^^^^^^^^^^^^^^^^^^^
File "<string>", line 101, in __init__
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 154, in __setattr__
v = field_type(v)
^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 10: 'true'
I think this has something to do with the TasksRecords and not GroupRecords. I have used target-dump with tasks and this error only appears with filesystem_windows_task.jsonl, not in filesystem_windows_task_grouped.jsonl:
rdump --multi-timestamp MSEDGEWIN10/tasks/filesystem_windows_task.jsonl
Traceback (most recent call last):
File "/home/duarte/.local/bin/rdump", line 8, in <module>
sys.exit(main())
^^^^^^
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/utils.py", line 57, in wrapper
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/tools/rdump.py", line 229, in main
for record in iter_timestamped_records(rec):
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 1032, in iter_timestamped_records
record = extend_record(ts_record, [record], name=record_name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 971, in extend_record
return ExtendedRecord.init_from_dict(collections.ChainMap(*kv_maps))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 546, in init_from_dict
return self.recordType(**rdict)
^^^^^^^^^^^^^^^^^^^^^^^^
File "<string>", line 101, in __init__
File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 154, in __setattr__
v = field_type(v)
^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 10: 'true'
yunzheng commented
I've been able to trace back the issue to https://github.com/fox-it/dissect.target/blob/688dcb965084f268ef4515c0c7b76f0908714ed3/dissect/target/plugins/os/windows/tasks.py#L45 where allow_start_on_demand is declared twice. Once as boolean, and once as string.
l3fdb33f commented
Awesome, thank you so much!