From cafc4fb6055b1c18a03820b4f3c485bceac9b3c1 Mon Sep 17 00:00:00 2001
From: JSCU-CNI <121175071+JSCU-CNI@users.noreply.github.com>
Date: Mon, 21 Aug 2023 14:08:09 +0200
Subject: [PATCH] Improve tar loader for Windows filesystem tar files (#353)

---
 dissect/target/loaders/tar.py               |   6 ++++--
 tests/data/test-windows-fs-c-absolute.tar   | Bin 0 -> 10240 bytes
 tests/data/test-windows-fs-c-relative.tar   | Bin 0 -> 10240 bytes
 tests/data/test-windows-sysvol-absolute.tar | Bin 0 -> 10240 bytes
 tests/data/test-windows-sysvol-relative.tar | Bin 0 -> 10240 bytes
 tests/test_loaders_tar.py                   |  18 ++++++++++++++++++
 6 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 tests/data/test-windows-fs-c-absolute.tar
 create mode 100644 tests/data/test-windows-fs-c-relative.tar
 create mode 100644 tests/data/test-windows-sysvol-absolute.tar
 create mode 100644 tests/data/test-windows-sysvol-relative.tar

diff --git a/dissect/target/loaders/tar.py b/dissect/target/loaders/tar.py
index f6f7c8b9b..f8b544802 100644
--- a/dissect/target/loaders/tar.py
+++ b/dissect/target/loaders/tar.py
@@ -42,7 +42,7 @@ def map(self, target: target.Target) -> None:
             if member.name == ".":
                 continue
 
-            if not member.name.startswith("fs/") and not member.name.startswith("/sysvol"):
+            if not member.name.startswith(("/fs", "fs/", "/sysvol", "sysvol/")):
                 if "/" not in volumes:
                     vol = filesystem.VirtualFilesystem(case_sensitive=True)
                     vol.tar = self.tar
@@ -52,8 +52,10 @@ def map(self, target: target.Target) -> None:
                 volume = volumes["/"]
                 mname = member.name
             else:
-                if not member.name.startswith("/sysvol"):
+                if not member.name.startswith(("/sysvol", "sysvol/")):
                     parts = member.name.replace("fs/", "").split("/")
+                    if parts[0] == "":
+                        parts.pop(0)
                 else:
                     parts = member.name.lstrip("/").split("/")
                 volume_name = parts[0]
diff --git a/tests/data/test-windows-fs-c-absolute.tar b/tests/data/test-windows-fs-c-absolute.tar
new file mode 100644
index 0000000000000000000000000000000000000000..1378746dcdbdad13c9e0bf7ea110d871fe091f8a
GIT binary patch
literal 10240
zcmeIx(F(#K6vlBMWlxYgHKEt&qU%^2bkT$~s<+SWZi9$m^Jf2ZBPz(@_jzO&Wpj|H
zYkvvPD8(A3a(VB?u;!Yt<C)Rg?VUB_y;j!NqH=3AGk^0D)A^oTnxAiEFQ@q*-!Zi}
zQ!n}vhJgRezgFIme~B;nE&ncrU3#TOTKJj2wqiQ}#%d?3A~U)1`Oi65P3TkGr?^Pi
wJc0lM2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAW&4`1MxmWBLDyZ

literal 0
HcmV?d00001

diff --git a/tests/data/test-windows-fs-c-relative.tar b/tests/data/test-windows-fs-c-relative.tar
new file mode 100644
index 0000000000000000000000000000000000000000..dbee24cb3f2d60887a10ddab170ba852a1a34dc9
GIT binary patch
literal 10240
zcmeIxO$x#=5QgC#r6({+r$68|T)39nf(sik5%u;>yK6y2NW1Afn~(&;@O+uh>*lD>
zxBlv0UaM8g#H#CBjccssI-QBNWmOh3-CHA-sH|M2o5iC~A1;sB(&Bh8+isTs>ElCt
zmptu97z6$<|J>Mu{I~dnU-IvqJA`*g)4|XDW7zZg7m-S3o6O|i=ij-kaeZj};M1hd
vD+nNf00IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0$U0U^khMm

literal 0
HcmV?d00001

diff --git a/tests/data/test-windows-sysvol-absolute.tar b/tests/data/test-windows-sysvol-absolute.tar
new file mode 100644
index 0000000000000000000000000000000000000000..71ecc8e3a8ae2689f3150c10c81aa5486a419180
GIT binary patch
literal 10240
zcmeIxO$x#=5QgC#r6({+(=-Qh;aaqUpbeP#)7zVNXN!o?X47{zfds<vd^0k1;o&cG
zcW#gV8KhXCR4V73=+9K+bGS2F+uBxUc-LB4D+;?nFOx6tA?|OfrOCrOF61cxZ5Lv5
zHRYUx&<Ffq{-sql`RACxulb+6-^5p(qlcgQ>q>m?f2E8PMV6gh`TnPvi-T`t)5b7I
x*8G700tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q2JG;0-l$ML+-m

literal 0
HcmV?d00001

diff --git a/tests/data/test-windows-sysvol-relative.tar b/tests/data/test-windows-sysvol-relative.tar
new file mode 100644
index 0000000000000000000000000000000000000000..36a0a62c63ca33038f1511ed8596963e05faf366
GIT binary patch
literal 10240
zcmeIxO$x#=5QgC#r6;haX_|w$a4lLv&;*?L)7zVN*Mf+UcGGt@p-BnD^JS!yXSkO8
zi$8^zlxmLJrgF}yeoZx9hdraUZES6ZbDe%~RAJ|6W_ssC;^CfJn(nXUTgLhCI*IMg
zR9PQFAMk(qS9Rsce~BmfE&p=}oA{1dTKJj2uGM({jk8)6i_GN8=Rf6K9D|RokCG*9
wE<peR1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5Li^;15J5E#{d8T

literal 0
HcmV?d00001

diff --git a/tests/test_loaders_tar.py b/tests/test_loaders_tar.py
index 39cbcaa8c..9970e7b56 100644
--- a/tests/test_loaders_tar.py
+++ b/tests/test_loaders_tar.py
@@ -1,5 +1,8 @@
+import pytest
+
 from dissect.target import Target
 from dissect.target.loaders.tar import TarLoader
+from dissect.target.plugins.os.windows._os import WindowsPlugin
 
 from ._utils import absolute_path
 
@@ -44,3 +47,18 @@ def test_tar_loader_compressed_tar_file_with_empty_dir(target_unix):
     empty_folder = target_unix.fs.path("test/empty_dir")
     assert empty_folder.exists()
     assert empty_folder.is_dir()
+
+
+@pytest.mark.parametrize(
+    "archive",
+    [
+        ("data/test-windows-sysvol-absolute.tar"),
+        ("data/test-windows-sysvol-relative.tar"),
+        ("data/test-windows-fs-c-relative.tar"),
+        ("data/test-windows-fs-c-absolute.tar"),
+    ],
+)
+def test_tar_loader_windows_sysvol_formats(target_default, archive):
+    loader = TarLoader(absolute_path(archive))
+    loader.map(target_default)
+    assert WindowsPlugin(target_default).detect(target_default)