dissect.target.plugins.os.windows.regf.clsid#

Module Contents#

Classes#

CLSIDPlugin

Return all CLSID registry keys.

Attributes#

dissect.target.plugins.os.windows.regf.clsid.CLSIDRecordDescriptor#
dissect.target.plugins.os.windows.regf.clsid.CLSIDRecord#
class dissect.target.plugins.os.windows.regf.clsid.CLSIDPlugin(target)#

Bases: dissect.target.plugin.Plugin

Return all CLSID registry keys.

A CLSID is a globally unique identifier that identifies a COM class object (program) situated in HKEY_CURRENT_USERSoftwareClassesCLSID and HKEY_LOCAL_MACHINESOFTWAREClassesCLSID. Malware may make use of the CLSID system to launch themselves automatically or when certain conditions are triggered.

References

__namespace__ = 'clsid'#
KEYS#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

create_records(keys)#

Iterate all CLSID keys from HKEY_CURRENT_USERSoftwareClassesCLSID and HKEY_LOCAL_MACHINESOFTWAREClassesCLSID.

Yields CLSIDRecords with fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): Last modified timestamp of the registry key. clsid (string): The CLSID key name. path (uri): The CLSID path value.

user()#

Return only the user CLSID registry keys.

machine()#

Return only the machine CLSID registry keys.