dissect.target.plugins.os.windows.regf.clsid

Module Contents

Classes

CLSIDPlugin

Return all CLSID registry keys.

Attributes

CLSIDRecordDescriptor
CLSIDRecord

dissect.target.plugins.os.windows.regf.clsid.CLSIDRecordDescriptor

dissect.target.plugins.os.windows.regf.clsid.CLSIDRecord

class dissect.target.plugins.os.windows.regf.clsid.CLSIDPlugin(target)

Bases: dissect.target.plugin.Plugin

Return all CLSID registry keys.

A CLSID is a globally unique identifier that identifies a COM class object (program) situated in HKEY_CURRENT_USERSoftwareClassesCLSID and HKEY_LOCAL_MACHINESOFTWAREClassesCLSID. Malware may make use of the CLSID system to launch themselves automatically or when certain conditions are triggered.

Sources:

• https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm

• https://www.enigmasoftware.com/what-is-clsid-registry-key/

__namespace__ = 'clsid'

KEYS

check_compatible()

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

create_records(keys)

Iterate all CLSID keys from HKEY_CURRENT_USERSoftwareClassesCLSID and HKEY_LOCAL_MACHINESOFTWAREClassesCLSID.

Yields CLSIDRecords with fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): Last modified timestamp of the registry key. clsid (string): The CLSID key name. path (uri): The CLSID path value.

user()

Return only the user CLSID registry keys.

machine()

Return only the machine CLSID registry keys.