dissect.target.plugins.os.windows.regf.shellbags

Module Contents

Classes

Functions

Attributes

dissect.target.plugins.os.windows.regf.shellbags.log
dissect.target.plugins.os.windows.regf.shellbags.bag_def = Multiline-String
Show Value
"""
enum ROOTFOLDER_ID : uint8 {
    INTERNET_EXPLORER   = 0x00,
    LIBRARIES           = 0x42,
    USERS               = 0x44,
    MY_DOCUMENTS        = 0x48,
    MY_COMPUTER         = 0x50,
    NETWORK             = 0x58,
    RECYCLE_BIN         = 0x60,
    INTERNET_EXPLORER   = 0x68,
    UNKNOWN             = 0x70,
    MY_GAMES            = 0x80
};

struct SHITEM_UNKNOWN0 {
    uint16  size;
    uint8   type;
};

struct SHITEM_UNKNOWN1 {
    uint16  size;
    uint8   type;
};

struct SHITEM_ROOT_FOLDER {
    uint16          size;
    uint8           type;
    ROOTFOLDER_ID   folder_id;
    char            guid[16];
};

struct SHITEM_VOLUME {
    uint16  size;
    uint8   type;
};

struct SHITEM_FILE_ENTRY {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint32  file_size;
    uint32  modification_time;
    uint16  file_attribute_flags;
};

struct SHITEM_NETWORK {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint8   flags;
    char    location[];
};

struct SHITEM_COMPRESSED_FOLDER {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  unk1;
};

struct SHITEM_URI {
    uint16  size;
    uint8   type;
    uint8   flags;
    uint16  data_size;
};

struct SHITEM_CONTROL_PANEL {
    uint16  size;
    uint8   type;
    uint8   unk0;
    char    unk1[10];
    char    guid[16];
};

struct SHITEM_CONTROL_PANEL_CATEGORY {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint32  signature;
    uint32  category;
};

struct SHITEM_CDBURN {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint32  signature;
    uint32  unk1;
    uint32  unk2;
};

struct SHITEM_GAME_FOLDER {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint32  signature;
    char    identifier[16];
    uint64  unk1;
};

struct SHITEM_CONTROL_PANEL_CPL_FILE {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint32  signature;
    uint32  unk1;
    uint32  unk2;
    uint32  unk3;
    uint16  name_offset;
    uint16  comments_offset;
    wchar   cpl_path[];
    wchar   name[];
    wchar   comments[];
};

struct SHITEM_MTP_PROPERTY {
    char    format_identifier[16];
    uint32  value_identifier;
    uint32  value_type;
};

struct SHITEM_MTP_FILE_ENTRY {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  data_size;
    uint32  data_signature;
    uint32  unk1;
    uint16  unk2;
    uint16  unk3;
    uint16  unk4;
    uint16  unk5;
    uint32  unk6;
    uint64  modification_time;
    uint64  creation_time;
    char    content_type_folder[16];
    uint32  unk7;
    uint32  folder_name_size_1;
    uint32  folder_name_size_2;
    uint32  folder_identifier_size;
    wchar   folder_name_1[folder_name_size_1];
    wchar   folder_name_2[folder_name_size_2];
    uint32  unk8;
    char    class_identifier[16];
    uint32  num_properties;
};

struct SHITEM_MTP_VOLUME_GUID {
    wchar   guid[39];
};

struct SHITEM_MTP_VOLUME {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  data_size;
    uint32  data_signature;
    uint32  unk1;
    uint16  unk2;
    uint16  unk3;
    uint16  unk4;
    uint16  unk5;
    uint32  unk6;
    uint64  unk7;
    uint32  unk8;
    uint32  name_size;
    uint32  identifier_size;
    uint32  filesystem_size;
    uint32  num_guid;
    wchar   name[name_size];
    wchar   identifier[identifier_size];
    wchar   filesystem[filesystem_size];
    SHITEM_MTP_VOLUME_GUID     guids[num_guid];
    uint32  unk9;
    char    class_identifier[16];
    uint32  num_properties;
};

struct SHITEM_USERS_PROPERTY_VIEW {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  data_size;
    uint32  data_signature;
    uint16  property_store_size;
    uint16  identifier_size;
    char    identifier[identifier_size];
    char    property_store[property_store_size];
    uint16  unk1;
};

struct SHITEM_UNKNOWN_0x74 {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  data_size;
    uint32  data_signature;
    uint16  subitem_size;
};

struct SHITEM_UNKNOWN_0x74_SUBITEM {
    uint8   type;
    uint8   unk1;
    uint32  file_size;
    uint32  modification_time;
    uint16  file_attribute_flags;
    char    primary_name[];
};

struct SHITEM_DELEGATE {
    uint16  size;
    uint8   type;
    uint8   unk0;
    uint16  data_size;
    char    data[data_size - 2];
    char    delegate_identifier[16];
    char    shell_identifier[16];
};

struct EXTENSION_BLOCK_HEADER {
    uint16  size;
    uint16  version;
    uint32  signature;
};
"""
dissect.target.plugins.os.windows.regf.shellbags.c_bag
dissect.target.plugins.os.windows.regf.shellbags.DELEGATE_ITEM_IDENTIFIER = b't\x1aY^\x96\xdf\xd3H\x8dg\x173\xbc\xee(\xba'
dissect.target.plugins.os.windows.regf.shellbags.ShellBagRecord
class dissect.target.plugins.os.windows.regf.shellbags.ShellBagsPlugin(target)

Bases: dissect.target.plugin.Plugin

Windows Shellbags plugin.

References

KEYS = ['HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell',...
bagkeys
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

shellbags()

Return Windows Shellbags.

Shellbags are registry keys to improve user experience when using Windows Explorer. It stores information about for example file/folder creation time and access time.

References

dissect.target.plugins.os.windows.regf.shellbags.parse_shell_item_list(buf)
class dissect.target.plugins.os.windows.regf.shellbags.SHITEM(buf)
STRUCT = None
buf
fh
item
size
type
parent = None
extensions = []
property name
property creation_time
property modification_time
property access_time
property file_size
property file_reference
extension(cls)
__repr__()
class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN(buf)

Bases: SHITEM

property name
class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN0(fh)

Bases: SHITEM

STRUCT
guid = None
property name
class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN1(buf)

Bases: SHITEM

STRUCT
property name
class dissect.target.plugins.os.windows.regf.shellbags.ROOT_FOLDER(fh)

Bases: SHITEM

STRUCT
guid
extension = None
property name
class dissect.target.plugins.os.windows.regf.shellbags.VOLUME(buf)

Bases: SHITEM

STRUCT
volume_name = None
identifier = None
property name
class dissect.target.plugins.os.windows.regf.shellbags.FILE_ENTRY(buf)

Bases: SHITEM

STRUCT
is_pre_xp = False
property name
property modification_time
class dissect.target.plugins.os.windows.regf.shellbags.NETWORK(buf)

Bases: SHITEM

STRUCT
description = None
comments = None
property name
class dissect.target.plugins.os.windows.regf.shellbags.COMPRESSED_FOLDER(buf)

Bases: SHITEM

STRUCT
property name
class dissect.target.plugins.os.windows.regf.shellbags.URI(buf)

Bases: SHITEM

STRUCT
uri = None
property name
class dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL(buf)

Bases: SHITEM

STRUCT
guid
property name
class dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL_CATEGORY(buf)

Bases: SHITEM

STRUCT
CATEGORIES
property name
class dissect.target.plugins.os.windows.regf.shellbags.CDBURN(buf)

Bases: SHITEM

STRUCT
property name
class dissect.target.plugins.os.windows.regf.shellbags.GAME_FOLDER(buf)

Bases: SHITEM

STRUCT
guid
property name
class dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL_CPL_FILE(buf)

Bases: SHITEM

STRUCT
property name
class dissect.target.plugins.os.windows.regf.shellbags.MTP_FILE_ENTRY(buf)

Bases: SHITEM

STRUCT
property name
property creation_time
property modification_time
class dissect.target.plugins.os.windows.regf.shellbags.MTP_VOLUME(buf)

Bases: SHITEM

STRUCT
property name
class dissect.target.plugins.os.windows.regf.shellbags.USERS_PROPERTY_VIEW(buf)

Bases: SHITEM

STRUCT
guid = None
identifier
property name
class dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN_0x74(buf)

Bases: SHITEM

STRUCT
subitem = None
property name
property modification_time
class dissect.target.plugins.os.windows.regf.shellbags.DELEGATE(buf)

Bases: SHITEM

STRUCT
delegate_identifier
shell_identifier
property name
class dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK(buf)
buf
fh
header
property size
property data_size
property version
property signature
__repr__()
class dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK_BEEF0004(buf)

Bases: EXTENSION_BLOCK

creation_time
last_accessed
identifier
file_reference = None
long_name = None
localized_name = None
class dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK_BEEF0005(buf)

Bases: EXTENSION_BLOCK

shell_items