dissect.target.plugins.os.windows.catroot#

Module Contents#

Classes#

CatrootPlugin

Catroot plugin.

Functions#

Attributes#

dissect.target.plugins.os.windows.catroot.HINT_NEEDLE = b'\x1e\x08\x00H\x00i\x00n\x00t'#
dissect.target.plugins.os.windows.catroot.MD5_NEEDLE = b'\x06\x08*\x86H\x86\xf7\r\x02\x05'#
dissect.target.plugins.os.windows.catroot.SHA1_NEEDLE = b'\x06\x05+\x0e\x03\x02\x1a'#
dissect.target.plugins.os.windows.catroot.SHA_GENERIC_NEEDLE = b'\x06\t\x08\x86H\x01e\x03\x04\x02'#
dissect.target.plugins.os.windows.catroot.CatrootRecord#
dissect.target.plugins.os.windows.catroot.findall(buf, needle)#
class dissect.target.plugins.os.windows.catroot.CatrootPlugin(target)#

Bases: dissect.target.plugin.Plugin

Catroot plugin.

Parses catroot files for hashes and file hints.

check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

catroot()#

Return the content of the catalog files in the CatRoot folder.

A catalog file contains a collection of cryptographic hashes, or thumbprints. These files are generally used to verify the integrity of Windows operating system files, instead of per-file authenticode signatures.

References

Yields CatrootRecords with the following fields:

hostname (string): The target hostname. domain (string): The target domain. digest (digest): The parsed digest. hint (path): File hint, if present. source (path): Source catroot file.