diff --git a/dissect/target/plugins/os/windows/amcache.py b/dissect/target/plugins/os/windows/amcache.py index 133462f75..ac6812dcb 100644 --- a/dissect/target/plugins/os/windows/amcache.py +++ b/dissect/target/plugins/os/windows/amcache.py @@ -66,7 +66,7 @@ ("varint", "reference"), ("path", "path"), ("string", "language_code"), - ("digest", "digests"), + ("digest", "digest"), ("string", "program_id"), ("string", "pe_header_checksum"), ("string", "pe_size_of_image"), @@ -126,7 +126,7 @@ [ ("datetime", "mtime_regf"), ("string", "program_id"), - ("digest", "digests"), + ("digest", "digest"), ("path", "path"), ("string", "hash_path"), ("wstring", "name"), @@ -224,7 +224,7 @@ def parse_file(self): reference=int(subkey.name, 16), path=self.target.fs.path(subkey_data["full_path"]) if subkey_data.get("full_path") else None, language_code=subkey_data.get("language_code"), - digests=[None, subkey_data["sha1"][-40:] if subkey_data.get("sha1") else None, None], + digest=(None, subkey_data["sha1"][-40:] if subkey_data.get("sha1") else None, None), program_id=subkey_data.get("program_id"), pe_header_checksum=subkey_data.get("pe_header_checksum"), pe_size_of_image=subkey_data.get("pe_size_of_image"), @@ -468,7 +468,7 @@ def parse_inventory_application_file(self): yield ApplicationFileAppcompatRecord( mtime_regf=entry.timestamp, program_id=entry_data.get("ProgramId"), - digests=[None, sha1_digest, None], + digest=(None, sha1_digest, None), path=self.target.fs.path(entry_data.get("LowerCaseLongPath")), link_date=parse_win_datetime(entry_data.get("LinkDate")), hash_path=entry_data.get("LongPathHash"), diff --git a/dissect/target/plugins/os/windows/log/amcache.py b/dissect/target/plugins/os/windows/log/amcache.py index a4f929435..ba0b150e0 100644 --- a/dissect/target/plugins/os/windows/log/amcache.py +++ b/dissect/target/plugins/os/windows/log/amcache.py @@ -31,7 +31,7 @@ ("string", "bin_file_version"), ("string", "bin_product_version"), ("string", "binary_type"), - ("digest", "digests"), + ("digest", "digest"), ("wstring", "file_version"), ("wstring", "company_name"), ("wstring", "file_description"), @@ -82,11 +82,11 @@ def create_record( size_of_image=install_properties.get("sizeofimage"), file_description=install_properties.get("filedescription"), size=install_properties.get("size"), - digests=[ + digest=( None, install_properties.get("id")[4:], None, - ], # remove leading zeros from the entry to create a sha1 hash + ), # remove leading zeros from the entry to create a sha1 hash company_name=install_properties.get("companyname"), binary_type=install_properties.get("binarytype"), bin_product_version=install_properties.get("binproductversion"), diff --git a/dissect/target/plugins/os/windows/syscache.py b/dissect/target/plugins/os/windows/syscache.py index 9bc658a53..2c4ab0de6 100644 --- a/dissect/target/plugins/os/windows/syscache.py +++ b/dissect/target/plugins/os/windows/syscache.py @@ -11,7 +11,7 @@ "windows/syscache/object", [ ("datetime", "regf_mtime"), - ("digest", "digests"), + ("digest", "digest"), ("string", "program_id"), ("string", "file_id"), ("varint", "object_id"), @@ -84,7 +84,7 @@ def syscache(self) -> Iterator[SyscacheRecord]: yield SyscacheRecord( regf_mtime=subkey.ts, - digests=[None, ae_file_id[4:] if ae_file_id else None, None], + digest=(None, ae_file_id[4:] if ae_file_id else None, None), program_id=ae_program_id, file_id=f"{file_segment}#{file_id >> 48}", object_id=subkey.value("_ObjectId_").value, diff --git a/tests/plugins/os/windows/test_amcache.py b/tests/plugins/os/windows/test_amcache.py index f63632006..8964fbbfb 100644 --- a/tests/plugins/os/windows/test_amcache.py +++ b/tests/plugins/os/windows/test_amcache.py @@ -133,7 +133,7 @@ def test_parse_inventory_application_file(target_win, test_file_id, expected_fil else: call_kwargs = mock_record.call_args.kwargs - assert call_kwargs.get("digests", None) == [None, expected_file_id, None] + assert call_kwargs.get("digest", None) == (None, expected_file_id, None) def test_amcache_install_entry(target_win: Target):