:py:mod:`dissect.target.plugins.os.windows.catroot` =================================================== .. py:module:: dissect.target.plugins.os.windows.catroot Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.catroot.CatrootPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.windows.catroot.findall dissect.target.plugins.os.windows.catroot.find_package_name Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.catroot.HAS_ASN1 dissect.target.plugins.os.windows.catroot.HINT_NEEDLE dissect.target.plugins.os.windows.catroot.PACKAGE_NAME_NEEDLE dissect.target.plugins.os.windows.catroot.DIGEST_NEEDLES dissect.target.plugins.os.windows.catroot.CatrootRecord .. py:data:: HAS_ASN1 :value: True .. py:data:: HINT_NEEDLE :value: b'\x1e\x08\x00H\x00i\x00n\x00t' .. py:data:: PACKAGE_NAME_NEEDLE :value: b'\x06\n+\x06\x01\x04\x01\x827\x0c\x02\x01' .. py:data:: DIGEST_NEEDLES .. py:data:: CatrootRecord .. py:function:: findall(buf: bytes, needle: bytes) -> Iterator[int] .. py:function:: find_package_name(hint_buf: bytes) -> Optional[str] Find a sequence that contains the 'PackageName' key and return the value if present. .. py:class:: CatrootPlugin(target) Bases: :py:obj:`dissect.target.plugin.Plugin` Catroot plugin. Parses catroot files for hashes and file hints. .. py:attribute:: __namespace__ :value: 'catroot' .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: files() -> Iterator[CatrootRecord] Return the content of the catalog files in the CatRoot folder. A catalog file contains a collection of cryptographic hashes, or thumbprints. These files are generally used to verify the integrity of Windows operating system files, instead of per-file authenticode signatures. At the moment, parsing catalog files is done on best effort. ``asn1crypto`` is not able to fully parse the ``encap_content_info``, highly likely because Microsoft uses its own format. Future research should result in a more resilient and complete implementation of the ``catroot.files`` plugin. .. rubric:: References - https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files Yields CatrootRecords with the following fields: hostname (string): The target hostname. domain (string): The target domain. digest (digest): The parsed digest. hints (string[]): File hints, if present. catroot_name (string): Catroot name. source (path): Source of the catroot record. .. py:method:: catdb() -> Iterator[CatrootRecord] Return the hash values present in the catdb files in the catroot2 folder. The catdb file is an ESE database file that contains the digests of the catalog files present on the system. This database is used to speed up the process of validating a Portable Executable (PE) file. Note: catalog files can include file hints, however these seem not to be present in the catdb files. .. rubric:: References - https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files Yields CatrootRecords with the following fields: hostname (string): The target hostname. domain (string): The target domain. digest (digest): The parsed digest. hints (string[]): File hints, if present. catroot_name (string): Catroot name. source (path): Source of the catroot record.