dissect.target.plugins.os.windows.regf.shellbags
¶
Module Contents¶
Classes¶
Windows Shellbags plugin. |
|
Functions¶
Attributes¶
- dissect.target.plugins.os.windows.regf.shellbags.log¶
- dissect.target.plugins.os.windows.regf.shellbags.bag_def = Multiline-String¶
Show Value
""" enum ROOTFOLDER_ID : uint8 { INTERNET_EXPLORER = 0x00, LIBRARIES = 0x42, USERS = 0x44, MY_DOCUMENTS = 0x48, MY_COMPUTER = 0x50, NETWORK = 0x58, RECYCLE_BIN = 0x60, INTERNET_EXPLORER = 0x68, UNKNOWN = 0x70, MY_GAMES = 0x80 }; struct SHITEM_UNKNOWN0 { uint16 size; uint8 type; }; struct SHITEM_UNKNOWN1 { uint16 size; uint8 type; }; struct SHITEM_ROOT_FOLDER { uint16 size; uint8 type; ROOTFOLDER_ID folder_id; char guid[16]; }; struct SHITEM_VOLUME { uint16 size; uint8 type; }; struct SHITEM_FILE_ENTRY { uint16 size; uint8 type; uint8 unk0; uint32 file_size; uint32 modification_time; uint16 file_attribute_flags; }; struct SHITEM_NETWORK { uint16 size; uint8 type; uint8 unk0; uint8 flags; char location[]; }; struct SHITEM_COMPRESSED_FOLDER { uint16 size; uint8 type; uint8 unk0; uint16 unk1; }; struct SHITEM_URI { uint16 size; uint8 type; uint8 flags; uint16 data_size; }; struct SHITEM_CONTROL_PANEL { uint16 size; uint8 type; uint8 unk0; char unk1[10]; char guid[16]; }; struct SHITEM_CONTROL_PANEL_CATEGORY { uint16 size; uint8 type; uint8 unk0; uint32 signature; uint32 category; }; struct SHITEM_CDBURN { uint16 size; uint8 type; uint8 unk0; uint32 signature; uint32 unk1; uint32 unk2; }; struct SHITEM_GAME_FOLDER { uint16 size; uint8 type; uint8 unk0; uint32 signature; char identifier[16]; uint64 unk1; }; struct SHITEM_CONTROL_PANEL_CPL_FILE { uint16 size; uint8 type; uint8 unk0; uint32 signature; uint32 unk1; uint32 unk2; uint32 unk3; uint16 name_offset; uint16 comments_offset; wchar cpl_path[]; wchar name[]; wchar comments[]; }; struct SHITEM_MTP_PROPERTY { char format_identifier[16]; uint32 value_identifier; uint32 value_type; }; struct SHITEM_MTP_FILE_ENTRY { uint16 size; uint8 type; uint8 unk0; uint16 data_size; uint32 data_signature; uint32 unk1; uint16 unk2; uint16 unk3; uint16 unk4; uint16 unk5; uint32 unk6; uint64 modification_time; uint64 creation_time; char content_type_folder[16]; uint32 unk7; uint32 folder_name_size_1; uint32 folder_name_size_2; uint32 folder_identifier_size; wchar folder_name_1[folder_name_size_1]; wchar folder_name_2[folder_name_size_2]; uint32 unk8; char class_identifier[16]; uint32 num_properties; }; struct SHITEM_MTP_VOLUME_GUID { wchar guid[39]; }; struct SHITEM_MTP_VOLUME { uint16 size; uint8 type; uint8 unk0; uint16 data_size; uint32 data_signature; uint32 unk1; uint16 unk2; uint16 unk3; uint16 unk4; uint16 unk5; uint32 unk6; uint64 unk7; uint32 unk8; uint32 name_size; uint32 identifier_size; uint32 filesystem_size; uint32 num_guid; wchar name[name_size]; wchar identifier[identifier_size]; wchar filesystem[filesystem_size]; SHITEM_MTP_VOLUME_GUID guids[num_guid]; uint32 unk9; char class_identifier[16]; uint32 num_properties; }; struct SHITEM_USERS_PROPERTY_VIEW { uint16 size; uint8 type; uint8 unk0; uint16 data_size; uint32 data_signature; uint16 property_store_size; uint16 identifier_size; char identifier[identifier_size]; char property_store[property_store_size]; uint16 unk1; }; struct SHITEM_UNKNOWN_0x74 { uint16 size; uint8 type; uint8 unk0; uint16 data_size; uint32 data_signature; uint16 subitem_size; }; struct SHITEM_UNKNOWN_0x74_SUBITEM { uint8 type; uint8 unk1; uint32 file_size; uint32 modification_time; uint16 file_attribute_flags; char primary_name[]; }; struct SHITEM_DELEGATE { uint16 size; uint8 type; uint8 unk0; uint16 data_size; char data[data_size - 2]; char delegate_identifier[16]; char shell_identifier[16]; }; struct EXTENSION_BLOCK_HEADER { uint16 size; uint16 version; uint32 signature; }; """
- dissect.target.plugins.os.windows.regf.shellbags.c_bag¶
- dissect.target.plugins.os.windows.regf.shellbags.DELEGATE_ITEM_IDENTIFIER = b't\x1aY^\x96\xdf\xd3H\x8dg\x173\xbc\xee(\xba'¶
- dissect.target.plugins.os.windows.regf.shellbags.ShellBagRecord¶
- class dissect.target.plugins.os.windows.regf.shellbags.ShellBagsPlugin(target)¶
Bases:
dissect.target.plugin.Plugin
Windows Shellbags plugin.
References
- KEYS = ['HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell',...¶
- bagkeys¶
- check_compatible() None ¶
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- shellbags()¶
Return Windows Shellbags.
Shellbags are registry keys to improve user experience when using Windows Explorer. It stores information about for example file/folder creation time and access time.
References
- dissect.target.plugins.os.windows.regf.shellbags.parse_shell_item_list(buf)¶
- class dissect.target.plugins.os.windows.regf.shellbags.SHITEM(buf)¶
- STRUCT = None¶
- buf¶
- fh¶
- item¶
- size¶
- type¶
- parent = None¶
- extensions = []¶
- property name¶
- property creation_time¶
- property modification_time¶
- property access_time¶
- property file_size¶
- property file_reference¶
- extension(cls)¶
- __repr__()¶
- class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN0(fh)¶
Bases:
SHITEM
- STRUCT¶
- guid = None¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN1(buf)¶
Bases:
SHITEM
- STRUCT¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.ROOT_FOLDER(fh)¶
Bases:
SHITEM
- STRUCT¶
- guid¶
- extension = None¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.VOLUME(buf)¶
Bases:
SHITEM
- STRUCT¶
- volume_name = None¶
- identifier = None¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.FILE_ENTRY(buf)¶
Bases:
SHITEM
- STRUCT¶
- is_pre_xp = False¶
- property name¶
- property modification_time¶
- class dissect.target.plugins.os.windows.regf.shellbags.NETWORK(buf)¶
Bases:
SHITEM
- STRUCT¶
- description = None¶
- comments = None¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.COMPRESSED_FOLDER(buf)¶
Bases:
SHITEM
- STRUCT¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.URI(buf)¶
Bases:
SHITEM
- STRUCT¶
- uri = None¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL(buf)¶
Bases:
SHITEM
- STRUCT¶
- guid¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL_CATEGORY(buf)¶
Bases:
SHITEM
- STRUCT¶
- CATEGORIES¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.CDBURN(buf)¶
Bases:
SHITEM
- STRUCT¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.GAME_FOLDER(buf)¶
Bases:
SHITEM
- STRUCT¶
- guid¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL_CPL_FILE(buf)¶
Bases:
SHITEM
- STRUCT¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.MTP_FILE_ENTRY(buf)¶
Bases:
SHITEM
- STRUCT¶
- property name¶
- property creation_time¶
- property modification_time¶
- class dissect.target.plugins.os.windows.regf.shellbags.MTP_VOLUME(buf)¶
Bases:
SHITEM
- STRUCT¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.USERS_PROPERTY_VIEW(buf)¶
Bases:
SHITEM
- STRUCT¶
- guid = None¶
- identifier¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN_0x74(buf)¶
Bases:
SHITEM
- STRUCT¶
- subitem = None¶
- property name¶
- property modification_time¶
- class dissect.target.plugins.os.windows.regf.shellbags.DELEGATE(buf)¶
Bases:
SHITEM
- STRUCT¶
- delegate_identifier¶
- shell_identifier¶
- property name¶
- class dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK(buf)¶
- buf¶
- fh¶
- header¶
- property size¶
- property data_size¶
- property version¶
- property signature¶
- __repr__()¶
- class dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK_BEEF0004(buf)¶
Bases:
EXTENSION_BLOCK
- creation_time¶
- last_accessed¶
- identifier¶
- file_reference = None¶
- long_name = None¶
- localized_name = None¶
- class dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK_BEEF0005(buf)¶
Bases:
EXTENSION_BLOCK
- shell_items¶