dissect.target.plugins.os.windows.catroot
#
Module Contents#
Classes#
Catroot plugin. |
Functions#
Attributes#
- dissect.target.plugins.os.windows.catroot.HINT_NEEDLE = b'\x1e\x08\x00H\x00i\x00n\x00t'#
- dissect.target.plugins.os.windows.catroot.MD5_NEEDLE = b'\x06\x08*\x86H\x86\xf7\r\x02\x05'#
- dissect.target.plugins.os.windows.catroot.SHA1_NEEDLE = b'\x06\x05+\x0e\x03\x02\x1a'#
- dissect.target.plugins.os.windows.catroot.SHA_GENERIC_NEEDLE = b'\x06\t\x08\x86H\x01e\x03\x04\x02'#
- dissect.target.plugins.os.windows.catroot.CatrootRecord#
- dissect.target.plugins.os.windows.catroot.findall(buf, needle)#
- class dissect.target.plugins.os.windows.catroot.CatrootPlugin(target)#
Bases:
dissect.target.plugin.Plugin
Catroot plugin.
Parses catroot files for hashes and file hints.
- check_compatible()#
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- catroot()#
Return the content of the catalog files in the CatRoot folder.
A catalog file contains a collection of cryptographic hashes, or thumbprints. These files are generally used to verify the integrity of Windows operating system files, instead of per-file authenticode signatures.
References
https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files
- Yields CatrootRecords with the following fields:
hostname (string): The target hostname. domain (string): The target domain. digest (digest): The parsed digest. hint (uri): File hint, if present. source (uri): Source catroot file.