:py:mod:`dissect.target.plugins.os.windows.regf.shimcache` ========================================================== .. py:module:: dissect.target.plugins.os.windows.regf.shimcache Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.shimcache.SHIMCACHE_WIN_TYPE dissect.target.plugins.os.windows.regf.shimcache.ShimCache dissect.target.plugins.os.windows.regf.shimcache.ShimcachePlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.windows.regf.shimcache.win_10_path dissect.target.plugins.os.windows.regf.shimcache.win_8_path dissect.target.plugins.os.windows.regf.shimcache.nt52_entry_type dissect.target.plugins.os.windows.regf.shimcache.nt61_entry_type Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.shimcache.ShimcacheRecord dissect.target.plugins.os.windows.regf.shimcache.c_shimdef dissect.target.plugins.os.windows.regf.shimcache.c_shim dissect.target.plugins.os.windows.regf.shimcache.MAGIC_NT61 dissect.target.plugins.os.windows.regf.shimcache.MAGIC_NT52 dissect.target.plugins.os.windows.regf.shimcache.MAGIC_WIN81 dissect.target.plugins.os.windows.regf.shimcache.MAGIC_WIN10 dissect.target.plugins.os.windows.regf.shimcache.TYPE_VARIATIONS dissect.target.plugins.os.windows.regf.shimcache.ShimCacheGeneratorType .. py:data:: ShimcacheRecord .. py:data:: c_shimdef :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ struct NT61_HEADER { uint32 magic; uint32 num_entries; }; struct NT61_64_ENTRY { uint16 len; uint16 maxlen; uint32 _align; uint64 offset; uint64 ts; uint32 fileflags; uint32 flags; uint64 blobsize; uint64 bloboffset; }; struct NT52_HEADER { uint32 magic; uint32 num_entries; }; struct NT52_ENTRY_32 { uint16 len; uint16 maxlen; uint32 offset; uint64 ts; uint64 filesize; }; struct NT52_ENTRY_64 { uint16 len; uint16 maxlen; uint32 _padding; uint64 offset; uint64 ts; uint64 filesize; }; struct WIN81_ENTRY { uint32 magic; uint32 crc; uint32 len; char data[len]; }; struct WIN81_ENTRY_DATA { uint16 path_len; wchar path[path_len/2]; uint16 pkg_len; wchar pkg[pkg_len/2]; uint32 flags; uint32 a; uint64 ts; uint32 b; }; struct WIN81_ENTRY_DATA_SINGLE { uint16 path_len; wchar path[path_len/2]; uint32 flags; }; struct WIN10_ENTRY { uint32 magic; uint32 crc; uint32 len; char data[len]; }; struct WIN10_ENTRY_DATA { uint16 path_len; wchar path[path_len/2]; uint64 ts; }; """ .. raw:: html
.. py:data:: c_shim .. py:data:: MAGIC_NT61 :value: 3134984174 .. py:data:: MAGIC_NT52 :value: 3134984190 .. py:data:: MAGIC_WIN81 :value: 1936994353 .. py:data:: MAGIC_WIN10 :value: 1936994353 .. py:class:: SHIMCACHE_WIN_TYPE Bases: :py:obj:`enum.IntEnum` Specific shimcache versions .. py:attribute:: VERSION_WIN10_CREATORS :value: 4097 .. py:attribute:: VERSION_WIN10 :value: 4096 .. py:attribute:: VERSION_WIN81 :value: 2049 .. py:attribute:: VERSION_NT61 :value: 1537 .. py:attribute:: VERSION_NT52 :value: 1282 .. py:attribute:: VERSION_WIN81_NO_HEADER .. py:function:: win_10_path(ed: dissect.cstruct.Structure) -> str .. py:function:: win_8_path(ed: dissect.cstruct.Structure) -> str .. py:function:: nt52_entry_type(fh: bytes) -> dissect.cstruct.Structure .. py:function:: nt61_entry_type(_) -> dissect.cstruct.Structure .. py:data:: TYPE_VARIATIONS .. py:exception:: CRCMismatchException(message=None, cause=None, extra=None) Bases: :py:obj:`dissect.target.exceptions.Error` Generic dissect.target error .. py:data:: ShimCacheGeneratorType .. py:class:: ShimCache(fh: io.BytesIO, ntversion: str, noheader: bool = False) .. py:method:: __iter__() -> Generator[ShimCacheGeneratorType, None, None] .. py:method:: identify() -> SHIMCACHE_WIN_TYPE Identify which SHIMCACHE version to use. .. py:method:: iter_win_8_plus(headers: Tuple[dissect.cstruct.Structure, dissect.cstruct.Structure], offset: int, path_finder: Callable) -> ShimCacheGeneratorType .. py:method:: iter_nt(header: dissect.cstruct.Structure, offset: int, header_function: Callable) -> Generator[Tuple[datetime.datetime, str], None, None] .. py:class:: ShimcachePlugin(target: dissect.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Shimcache plugin. .. py:attribute:: KEYS :value: ['HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache',... .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: shimcache() -> ShimcacheRecord Return the shimcache. The ShimCache or AppCompatCache stores registry keys related to properties from older Windows versions for compatibility purposes. Since it contains information about files such as the last modified date and the file size, it can be useful in forensic investigations. .. rubric:: References - https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/ Yields ShimcacheRecords with the following fields: hostname (string): The target hostname. domain (string): The target domain. last_modified (datetime): The last modified date. name (string): The value name. index (varint): The index of the entry. path (uri): The parsed path.