:py:mod:`dissect.target.plugins.os.windows.rdpcache` ==================================================== .. py:module:: dissect.target.plugins.os.windows.rdpcache Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.rdpcache.BitmapTile dissect.target.plugins.os.windows.rdpcache.RdpCachePlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.windows.rdpcache.parse_color_data dissect.target.plugins.os.windows.rdpcache.tile_to_bitmap dissect.target.plugins.os.windows.rdpcache.wrap_square_colors_in_border dissect.target.plugins.os.windows.rdpcache.assemble_tiles_into_collage dissect.target.plugins.os.windows.rdpcache.extract_bin dissect.target.plugins.os.windows.rdpcache.extract_bmc Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.rdpcache.bitmap_cache_def dissect.target.plugins.os.windows.rdpcache.bitmap_def dissect.target.plugins.os.windows.rdpcache.c_bitmap_cache dissect.target.plugins.os.windows.rdpcache.c_bmp dissect.target.plugins.os.windows.rdpcache.BMP_MAGIC dissect.target.plugins.os.windows.rdpcache.BIN_MAGIC dissect.target.plugins.os.windows.rdpcache.BMP_DATA_OFFSET dissect.target.plugins.os.windows.rdpcache.LCS_WINDOWS_COLOR_SPACE dissect.target.plugins.os.windows.rdpcache.EMPTY_LOGICAL_COLOR_SPACE dissect.target.plugins.os.windows.rdpcache.EMPTY_PIXEL dissect.target.plugins.os.windows.rdpcache.BORDER_PIXEL dissect.target.plugins.os.windows.rdpcache.RDPCacheRecord .. py:data:: bitmap_cache_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ // https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-017/ struct bin_header { CHAR magic[8]; DWORD version; }; struct bin_tile_header { DWORD key1; DWORD key2; WORD tile_width; WORD tile_height; }; struct bmc_tile_header { DWORD key1; DWORD key2; WORD tile_width; WORD tile_height; DWORD tile_length; DWORD tile_params_unk_1: 3; DWORD tile_params_compression: 1; DWORD tile_params_unk_2: 28; }; """ .. raw:: html
.. py:data:: bitmap_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ // https://stackoverflow.com/questions/20864752/how-is-defined-the-data-type-fxpt2dot30-in-the-bmp-file-structure typedef LONG FXPT2DOT30; // https://learn.microsoft.com/en-us/windows/win32/api/wingdi/ns-wingdi-ciexyz struct CIEXYZ { FXPT2DOT30 ciexyzX; FXPT2DOT30 ciexyzY; FXPT2DOT30 ciexyzZ; }; // https://learn.microsoft.com/en-us/windows/win32/api/wingdi/ns-wingdi-ciexyztriple struct CIEXYZTRIPLE { CIEXYZ ciexyzRed; CIEXYZ ciexyzGreen; CIEXYZ ciexyzBlue; }; // https://learn.microsoft.com/en-us/windows/win32/api/wingdi/ns-wingdi-bitmapfileheader struct BITMAPFILEHEADER { WORD bfType; DWORD bfSize; WORD bfReserved1; WORD bfReserved2; DWORD bfOffBits; }; // https://learn.microsoft.com/en-us/windows/win32/api/wingdi/ns-wingdi-bitmapv4header struct BITMAPV4HEADER { DWORD bV4Size; LONG bV4Width; LONG bV4Height; WORD bV4Planes; WORD bV4BitCount; DWORD bV4V4Compression; DWORD bV4SizeImage; LONG bV4XPelsPerMeter; LONG bV4YPelsPerMeter; DWORD bV4ClrUsed; DWORD bV4ClrImportant; DWORD bV4RedMask; DWORD bV4GreenMask; DWORD bV4BlueMask; DWORD bV4AlphaMask; DWORD bV4CSType; CIEXYZTRIPLE bV4Endpoints; DWORD bV4GammaRed; DWORD bV4GammaGreen; DWORD bV4GammaBlue; }; """ .. raw:: html
.. py:data:: c_bitmap_cache .. py:data:: c_bmp .. py:data:: BMP_MAGIC .. py:data:: BIN_MAGIC :value: b'RDP8bmp\x00' .. py:data:: BMP_DATA_OFFSET .. py:data:: LCS_WINDOWS_COLOR_SPACE .. py:data:: EMPTY_LOGICAL_COLOR_SPACE .. py:data:: EMPTY_PIXEL :value: b'\xff\xff\xff\x00' .. py:data:: BORDER_PIXEL :value: b'\x80\x80\x80\xff' .. py:data:: RDPCacheRecord .. py:class:: BitmapTile .. py:attribute:: width :type: int .. py:attribute:: height :type: int .. py:attribute:: colors :type: bytes .. py:attribute:: is_remnant :type: bool :value: False .. py:function:: parse_color_data(data: bytes, reverse_rows: bool = False, row_width: int = 64) -> bytes Parse bitmap color data. Optionally can reverse the row order of the bitmap data, which is useful when parsing a bitmap that is top-down when you want it to be bottom-up (like in .bin files). Assumes 32 bits-per-pixel. .. py:function:: tile_to_bitmap(tile: BitmapTile) -> bytes Given a tile, convert it to a valid bitmap file. .. py:function:: wrap_square_colors_in_border(colors: bytes, side_length: int, border_pixel: bytes, border_thickness: int) -> bytes Wrap color data in a colored-border. .. py:function:: assemble_tiles_into_collage(tiles: list[BitmapTile], border_around_tile: int = 0) -> BitmapTile Assemble a list of tiles into one tile containing all color data. .. py:function:: extract_bin(fh: BinaryIO) -> collections.abc.Iterator[BitmapTile] Extract bitmap tiles from a Cache000[1-4].bin bitmap cache file. These files are found on modern Windows versions. .. py:function:: extract_bmc(fh: BinaryIO) -> collections.abc.Iterator[BitmapTile] Extract bitmap cache from bmc files, which are typically found on older Windows versions. .. py:class:: RdpCachePlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Plugin to extract the RDP Bitmap Cache from a Windows target. .. rubric:: References - https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-017/ .. py:attribute:: __namespace__ :value: 'rdpcache' Defines the plugin namespace. .. py:attribute:: CACHE_PATH :value: 'AppData/Local/Microsoft/Terminal Server Client/Cache/' .. py:attribute:: GLOBS :value: ('Cache*.bin', 'bcache2*.bmc') .. py:method:: check_compatible() -> None At least one bitmap cache file with contents is necessary. .. py:method:: paths() -> collections.abc.Iterator[RDPCacheRecord] Yield paths and timestamps of RDP Cache bitmap files. .. py:method:: recover(output_dir: pathlib.Path, no_individual_tiles: bool, as_collage: bool, as_grid: bool, remnants: str) -> None Extract bitmaps from Windows' RDP Client cache files.