dissect.target.plugins.os.windows.regf.shellbags#

Module Contents#

Classes#

Functions#

Attributes#

dissect.target.plugins.os.windows.regf.shellbags.log#
dissect.target.plugins.os.windows.regf.shellbags.bag_def = Multiline-String#
Show Value
"""
enum ROOTFOLDER_ID : uint8 {
    INTERNET_EXPLORER   = 0x00,
    LIBRARIES           = 0x42,
    USERS               = 0x44,
    MY_DOCUMENTS        = 0x48,
    MY_COMPUTER         = 0x50,
    NETWORK             = 0x58,
    RECYCLE_BIN         = 0x60,
    INTERNET_EXPLORER   = 0x68,
    UNKNOWN             = 0x70,
    MY_GAMES            = 0x80
};

struct SHITEM_UNKNOWN0 {
    uint16  size;
    uint8   type;
};

struct SHITEM_UNKNOWN1 {
    uint16  size;
    uint8   type;
};

struct SHITEM_ROOT_FOLDER {
    uint16          size;
    uint8           type;
    ROOTFOLDER_ID   folder_id;
    char            guid[16];
};

struct SHITEM_VOLUME {
    uint16  size;
    uint8   type;
};

struct SHITEM_FILE_ENTRY {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint32  file_size;
    uint32  modification_time;
    uint16  file_attribute_flags;
};

struct SHITEM_NETWORK {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint8   flags;
    char    location[];
};

struct SHITEM_COMPRESSED_FOLDER {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  unk1;
};

struct SHITEM_URI {
    uint16  size;
    uint8   type;
    uint8   flags;
    uint16  data_size;
};

struct SHITEM_CONTROL_PANEL {
    uint16  size;
    uint8   type;
    uint8   unk0;
    char    unk1[10];
    char    guid[16];
};

struct SHITEM_CONTROL_PANEL_CATEGORY {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint32  signature;
    uint32  category;
};

struct SHITEM_CDBURN {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint32  signature;
    uint32  unk1;
    uint32  unk2;
};

struct SHITEM_GAME_FOLDER {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint32  signature;
    char    identifier[16];
    uint64  unk1;
};

struct SHITEM_CONTROL_PANEL_CPL_FILE {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint32  signature;
    uint32  unk1;
    uint32  unk2;
    uint32  unk3;
    uint16  name_offset;
    uint16  comments_offset;
    wchar   cpl_path[];
    wchar   name[];
    wchar   comments[];
};

struct SHITEM_MTP_PROPERTY {
    char    format_identifier[16];
    uint32  value_identifier;
    uint32  value_type;
};

struct SHITEM_MTP_FILE_ENTRY {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  data_size;
    uint32  data_signature;
    uint32  unk1;
    uint16  unk2;
    uint16  unk3;
    uint16  unk4;
    uint16  unk5;
    uint32  unk6;
    uint64  modification_time;
    uint64  creation_time;
    char    content_type_folder[16];
    uint32  unk7;
    uint32  folder_name_size_1;
    uint32  folder_name_size_2;
    uint32  folder_identifier_size;
    wchar   folder_name_1[folder_name_size_1];
    wchar   folder_name_2[folder_name_size_2];
    uint32  unk8;
    char    class_identifier[16];
    uint32  num_properties;
};

struct SHITEM_MTP_VOLUME_GUID {
    wchar   guid[39];
};

struct SHITEM_MTP_VOLUME {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  data_size;
    uint32  data_signature;
    uint32  unk1;
    uint16  unk2;
    uint16  unk3;
    uint16  unk4;
    uint16  unk5;
    uint32  unk6;
    uint64  unk7;
    uint32  unk8;
    uint32  name_size;
    uint32  identifier_size;
    uint32  filesystem_size;
    uint32  num_guid;
    wchar   name[name_size];
    wchar   identifier[identifier_size];
    wchar   filesystem[filesystem_size];
    SHITEM_MTP_VOLUME_GUID     guids[num_guid];
    uint32  unk9;
    char    class_identifier[16];
    uint32  num_properties;
};

struct SHITEM_USERS_PROPERTY_VIEW {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  data_size;
    uint32  data_signature;
    uint16  property_store_size;
    uint16  identifier_size;
    char    identifier[identifier_size];
    char    property_store[property_store_size];
    uint16  unk1;
};

struct SHITEM_UNKNOWN_0x74 {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  data_size;
    uint32  data_signature;
    uint16  subitem_size;
};

struct SHITEM_UNKNOWN_0x74_SUBITEM {
    uint8   type;
    uint8   unk1;
    uint32  file_size;
    uint32  modification_time;
    uint16  file_attribute_flags;
    char    primary_name[];
};

struct SHITEM_DELEGATE {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  data_size;
    char    data[data_size - 2];
    char    delegate_identifier[16];
    char    shell_identifier[16];
};

struct EXTENSION_BLOCK_HEADER {
    uint16  size;
    uint16  version;
    uint32  signature;
};
"""
dissect.target.plugins.os.windows.regf.shellbags.c_bag#
dissect.target.plugins.os.windows.regf.shellbags.DELEGATE_ITEM_IDENTIFIER = b't\x1aY^\x96\xdf\xd3H\x8dg\x173\xbc\xee(\xba'#
dissect.target.plugins.os.windows.regf.shellbags.ShellBagRecord#
class dissect.target.plugins.os.windows.regf.shellbags.ShellBagsPlugin(target)#

Bases: dissect.target.plugin.Plugin

Windows Shellbags plugin.

References

KEYS = ['HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell',...#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

shellbags()#

Return Windows Shellbags.

Shellbags are registry keys to improve user experience when using Windows Explorer. It stores information about for example file/folder creation time and access time.

References

dissect.target.plugins.os.windows.regf.shellbags.parse_shell_item_list(buf)#
class dissect.target.plugins.os.windows.regf.shellbags.SHITEM(buf)#
property name#
property creation_time#
property modification_time#
property access_time#
property file_size#
property file_reference#
STRUCT#
extension(cls)#
__repr__()#

Return repr(self).

class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN(buf)#

Bases: SHITEM

property name#
class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN0(fh)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN1(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.ROOT_FOLDER(fh)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.VOLUME(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.FILE_ENTRY(buf)#

Bases: SHITEM

property name#
property modification_time#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.NETWORK(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.COMPRESSED_FOLDER(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.URI(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL_CATEGORY(buf)#

Bases: SHITEM

property name#
STRUCT#
CATEGORIES#
class dissect.target.plugins.os.windows.regf.shellbags.CDBURN(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.GAME_FOLDER(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL_CPL_FILE(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.MTP_FILE_ENTRY(buf)#

Bases: SHITEM

property name#
property creation_time#
property modification_time#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.MTP_VOLUME(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.USERS_PROPERTY_VIEW(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN_0x74(buf)#

Bases: SHITEM

property name#
property modification_time#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.DELEGATE(buf)#

Bases: SHITEM

property name#
STRUCT#
class dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK(buf)#
property size#
property data_size#
property version#
property signature#
__repr__()#

Return repr(self).

class dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK_BEEF0004(buf)#

Bases: EXTENSION_BLOCK

class dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK_BEEF0005(buf)#

Bases: EXTENSION_BLOCK