dissect.target.plugins.os.windows.catroot

Module Contents

Classes

CatrootPlugin

Catroot plugin.

Functions

find_package_name

Find a sequence that contains the 'PackageName' key and return the value if present.

Attributes

HAS_ASN1
HINT_NEEDLE
PACKAGE_NAME_NEEDLE
DIGEST_NEEDLES
CatrootRecord

dissect.target.plugins.os.windows.catroot.HAS_ASN1 = True

dissect.target.plugins.os.windows.catroot.HINT_NEEDLE = b'\x1e\x08\x00H\x00i\x00n\x00t'

dissect.target.plugins.os.windows.catroot.PACKAGE_NAME_NEEDLE = b'\x06\n+\x06\x01\x04\x01\x827\x0c\x02\x01'

dissect.target.plugins.os.windows.catroot.DIGEST_NEEDLES

dissect.target.plugins.os.windows.catroot.CatrootRecord

dissect.target.plugins.os.windows.catroot.find_package_name(hint_buf: bytes) → str | None

Find a sequence that contains the ‘PackageName’ key and return the value if present.

class dissect.target.plugins.os.windows.catroot.CatrootPlugin(target)

Bases: dissect.target.plugin.Plugin

Catroot plugin.

Parses catroot files for hashes and file hints.

__namespace__ = 'catroot'

Defines the plugin namespace.

catroot_dir

catroot2_dir

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

files() → Iterator[CatrootRecord]

Return the content of the catalog files in the CatRoot folder.

A catalog file contains a collection of cryptographic hashes, or thumbprints. These files are generally used to verify the integrity of Windows operating system files, instead of per-file authenticode signatures.

At the moment, parsing catalog files is done on best effort. asn1crypto is not able to fully parse the encap_content_info, highly likely because Microsoft uses its own format. Future research should result in a more resilient and complete implementation of the catroot.files plugin.

References

• https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows

• https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files

Yields CatrootRecords with the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
digest (digest): The parsed digest.
hints (string[]): File hints, if present.
catroot_name (string): Catroot name.
source (path): Source of the catroot record.

catdb() → Iterator[CatrootRecord]

Return the hash values present in the catdb files in the catroot2 folder.

The catdb file is an ESE database file that contains the digests of the catalog files present on the system. This database is used to speed up the process of validating a Portable Executable (PE) file.

Note: catalog files can include file hints, however these seem not to be present in the catdb files.

References

• https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows

• https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files

Yields CatrootRecords with the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
digest (digest): The parsed digest.
hints (string[]): File hints, if present.
catroot_name (string): Catroot name.
source (path): Source of the catroot record.