dissect.target.plugins.os.windows.catroot

Module Contents

Classes

CatrootPlugin

Catroot plugin.

Functions

findall

Attributes

HINT_NEEDLE
MD5_NEEDLE
SHA1_NEEDLE
SHA_GENERIC_NEEDLE
CatrootRecord

dissect.target.plugins.os.windows.catroot.HINT_NEEDLE = b'\x1e\x08\x00H\x00i\x00n\x00t'

dissect.target.plugins.os.windows.catroot.MD5_NEEDLE = b'\x06\x08*\x86H\x86\xf7\r\x02\x05'

dissect.target.plugins.os.windows.catroot.SHA1_NEEDLE = b'\x06\x05+\x0e\x03\x02\x1a'

dissect.target.plugins.os.windows.catroot.SHA_GENERIC_NEEDLE = b'\x06\t\x08\x86H\x01e\x03\x04\x02'

dissect.target.plugins.os.windows.catroot.CatrootRecord

dissect.target.plugins.os.windows.catroot.findall(buf, needle)

class dissect.target.plugins.os.windows.catroot.CatrootPlugin(target)

Bases: dissect.target.plugin.Plugin

Catroot plugin.

Parses catroot files for hashes and file hints.

check_compatible()

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

catroot()

Return the content of the catalog files in the CatRoot folder.

A catalog file contains a collection of cryptographic hashes, or thumbprints. These files are generally used to verify the integrity of Windows operating system files, instead of per-file authenticode signatures.

References

• https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows

• https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files

Yields CatrootRecords with the following fields:

hostname (string): The target hostname. domain (string): The target domain. digest (digest): The parsed digest. hint (uri): File hint, if present. source (uri): Source catroot file.