`dissect.target.loaders.phobos`¶

Module Contents¶

Classes¶

PhobosLoader

Load Phobos Ransomware files.

Functions¶

scrape_pos

Attributes¶

`BLOCK_SIZE`
`NTFS_NEEDLE`
`EXTFS_NEEDLE`
`EXTFS_NEEDLE_OFFSET`
`FS_NEEDLES`

dissect.target.loaders.phobos.BLOCK_SIZE = 67108864¶

dissect.target.loaders.phobos.NTFS_NEEDLE = b'\xebR\x90NTFS \x00'¶

dissect.target.loaders.phobos.EXTFS_NEEDLE = b'\xff\xffS\xef'¶

dissect.target.loaders.phobos.EXTFS_NEEDLE_OFFSET = 55296¶

dissect.target.loaders.phobos.FS_NEEDLES¶

dissect.target.loaders.phobos.scrape_pos(fp: BinaryIO, needles: list[bytes], block_size: int = BLOCK_SIZE) → collections.abc.Iterator[tuple[bytes, int]]¶

class dissect.target.loaders.phobos.PhobosLoader(path: pathlib.Path, *, parsed_path: urllib.parse.ParseResult | None = None, resolve: bool = True, **kwargs)¶

Bases: dissect.target.loader.Loader

Load Phobos Ransomware files.

References

https://www.hhs.gov/sites/default/files/overview-phobos-ransomware.pdf

static detect(path: pathlib.Path) → bool¶

Detects wether this Loader class can load this specific path.

Parameters:: path – The target path to check.
Returns:: True if the path can be loaded by a Loader instance. False otherwise.

map(target: dissect.target.target.Target) → None¶

Maps the loaded path into a Target.

Parameters:: target – The target that we’re mapping into.

dissect.target.loaders.phobos¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`dissect.target.loaders.phobos`¶