`dissect.target.plugins.os.windows._os`#

Module Contents#

Classes#

WindowsPlugin

Base class for OS plugins.

class dissect.target.plugins.os.windows._os.WindowsPlugin(target: dissect.target.target.Target)#

Bases: dissect.target.plugin.OSPlugin

Base class for OS plugins.

This provides a base class for certain common functions of OS’s, which each OS plugin has to implement separately.

For example, it provides an interface for retrieving the hostname and users of a target.

All derived classes MUST implement ALL the classmethods and exported methods with the same @classmethod or @export(...) annotation.

CURRENT_VERSION_KEY = 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion'#

classmethod detect(target: dissect.target.target.Target) → dissect.target.filesystem.Filesystem | None#

Provide detection of this OSPlugin on a given filesystem.

Parameters:: fs – Filesystem to detect the OS on.
Returns:: The root filesystem / sysvol when found.

classmethod create(target: dissect.target.target.Target, sysvol: dissect.target.filesystem.Filesystem) → WindowsPlugin#

Initiate this OSPlugin with the given target and detected filesystem.

Parameters:

target – The Target object.
sysvol – The filesystem that was detected in the detect() function.

Returns:

An instantiated version of the OSPlugin.

add_mounts() → None#

hostname() → str | None#

Return the target’s hostname.

Returns:: The hostname as string.

ips() → list[str]#

Return the IP addresses configured in the target.

Returns:: The IPs as list.

version() → str | None#

Return a string representation of the Windows version of the target.

For Windows versions before Windows 10 this looks like:

<ProductName> (NT <CurrentVersion>) <CurrentBuildNumber>.<UBR> <CSDVersion>

For Windows versions since Windows 10 this looks like:

<ProductName> (NT <CurrentMajorVersionNumber>.<CurrentMinorVersionNumber>) <CurrentBuildNumber>.<UBR> <CSDVersion>

Where the registry values used are between <...>.

Note that the <UBR> and <CSDVersion> may or may not be available, depending on whether updates and service packs are installed.

Note also that we don’t show the “version” (aka FeatureRelease) as shown by WinVer.exe, which uses the registry values:

<ReleaseId>: Windows up to Windows 10 ReleaseId <= 2004

<DisplayVersion>: from Windows 10 ReleaseId >= 2009: (DisplayVersion = 20H2 in this case)

Returns:: If any one of the registry values used in the version string can be found in the registry, a string is returned as described above. All values that can not be found and should be present are replaced with <UNKNOWN value_name>. If none of the values can be found, None is returned.

architecture() → str | None#

Returns a dict containing the architecture and bitness of the system

Returns:: arch: architecture, bitness: bits
Return type:: Dict

users() → Iterator[dissect.target.helpers.record.WindowsUserRecord]#

Return the users available in the target.

Returns:: A list of user records.

os() → str#

Return a slug of the target’s OS name.

Returns:: A slug of the OS name, e.g. ‘windows’ or ‘linux’.

dissect.target.plugins.os.windows._os#

Module Contents#

Classes#

`dissect.target.plugins.os.windows._os`#