dissect.target.plugins.os.windows.defender.quarantine¶
Module Contents¶
Classes¶
Functions¶
RC4 encrypt / decrypt using the Defender Quarantine RC4 Key. |
|
Recover the various data streams present in a quarantined file. |
Attributes¶
- dissect.target.plugins.os.windows.defender.quarantine.DefenderQuarantineRecord¶
- dissect.target.plugins.os.windows.defender.quarantine.DefenderFileQuarantineRecord¶
- dissect.target.plugins.os.windows.defender.quarantine.DEFENDER_QUARANTINE_RC4_KEY = [30, 135, 120, 27, 141, 186, 168, 68, 206, 105, 112, 44, 12, 120, 183, 134, 163, 246, 35, 183,...¶
- dissect.target.plugins.os.windows.defender.quarantine.defender_def = Multiline-String¶
Show Value
""" /* ======== Generic Windows ======== */ /* https://learn.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-win32_stream_id */ enum STREAM_ID { DATA = 0x00000001, EA_DATA = 0x00000002, SECURITY_DATA = 0x00000003, ALTERNATE_DATA = 0x00000004, LINK = 0x00000005, PROPERTY_DATA = 0x00000006, OBJECT_ID = 0x00000007, REPARSE_DATA = 0x00000008, SPARSE_BLOCK = 0x00000009, TXFS_DATA = 0x0000000A, GHOSTED_FILE_EXTENTS = 0x0000000B, }; flag STREAM_ATTRIBUTES { STREAM_NORMAL_ATTRIBUTE = 0x00000000, STREAM_MODIFIED_WHEN_READ = 0x00000001, STREAM_CONTAINS_SECURITY = 0x00000002, STREAM_CONTAINS_PROPERTIES = 0x00000004, STREAM_SPARSE_ATTRIBUTE = 0x00000008, STREAM_CONTAINS_GHOSTED_FILE_EXTENTS = 0x00000010, }; typedef struct _WIN32_STREAM_ID { STREAM_ID StreamId; STREAM_ATTRIBUTES StreamAttributes; QWORD Size; DWORD StreamNameSize; WCHAR StreamName[StreamNameSize / 2]; } WIN32_STREAM_ID; /* ======== Defender Specific ======== */ enum FIELD_IDENTIFIER : WORD { CQuaResDataID_File = 0x02, CQuaResDataID_Registry = 0x03, Flags = 0x0A, PhysicalPath = 0x0C, DetectionContext = 0x0D, Unknown = 0x0E, CreationTime = 0x0F, LastAccessTime = 0x10, LastWriteTime = 0x11 }; enum FIELD_TYPE : WORD { STRING = 0x1, WSTRING = 0x2, DWORD = 0x3, RESOURCE_DATA = 0x4, BYTES = 0x5, QWORD = 0x6, }; struct QuarantineEntryFileHeader { CHAR MagicHeader[4]; CHAR Unknown[4]; CHAR _Padding[32]; DWORD Section1Size; DWORD Section2Size; DWORD Section1CRC; DWORD Section2CRC; CHAR MagicFooter[4]; }; struct QuarantineEntrySection1 { CHAR Id[16]; CHAR ScanId[16]; QWORD Timestamp; QWORD ThreatId; DWORD One; CHAR DetectionName[]; }; struct QuarantineEntrySection2 { DWORD EntryCount; DWORD EntryOffsets[EntryCount]; }; struct QuarantineEntryResource { WCHAR DetectionPath[]; WORD FieldCount; CHAR DetectionType[]; }; struct QuarantineEntryResourceField { WORD Size; WORD Identifier:12; FIELD_TYPE Type:4; CHAR Data[Size]; }; """
- dissect.target.plugins.os.windows.defender.quarantine.c_defender¶
- dissect.target.plugins.os.windows.defender.quarantine.STREAM_ID¶
- dissect.target.plugins.os.windows.defender.quarantine.STREAM_ATTRIBUTES¶
- dissect.target.plugins.os.windows.defender.quarantine.FIELD_IDENTIFIER¶
- dissect.target.plugins.os.windows.defender.quarantine.rc4_crypt(data: bytes) bytes¶
RC4 encrypt / decrypt using the Defender Quarantine RC4 Key.
- dissect.target.plugins.os.windows.defender.quarantine.recover_quarantined_file_streams(fh: BinaryIO, filename: str) collections.abc.Iterator[tuple[str, bytes]]¶
Recover the various data streams present in a quarantined file.
Yields tuples of the output filename and the corresponding output data.