dissect.target.plugins.os.windows.rdpcache

Module Contents

Classes

BitmapTile
RdpCachePlugin	Plugin to extract the RDP Bitmap Cache from a Windows target.

Functions

parse_color_data	Parse bitmap color data.
tile_to_bitmap	Given a tile, convert it to a valid bitmap file.
wrap_square_colors_in_border	Wrap color data in a colored-border.
assemble_tiles_into_collage	Assemble a list of tiles into one tile containing all color data.
extract_bin	Extract bitmap tiles from a Cache000[1-4].bin bitmap cache file.
extract_bmc	Extract bitmap cache from bmc files, which are typically found on older Windows versions.

Attributes

bitmap_cache_def
bitmap_def
c_bitmap_cache
c_bmp
BMP_MAGIC
BIN_MAGIC
BMP_DATA_OFFSET
LCS_WINDOWS_COLOR_SPACE
EMPTY_LOGICAL_COLOR_SPACE
EMPTY_PIXEL
BORDER_PIXEL
RDPCacheRecord

dissect.target.plugins.os.windows.rdpcache.bitmap_cache_def = Multiline-String

Show Value

"""
// https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-017/
struct bin_header {
    CHAR    magic[8];
    DWORD   version;
};

struct bin_tile_header {
    DWORD   key1;
    DWORD   key2;
    WORD    tile_width;
    WORD    tile_height;
};

struct bmc_tile_header {
    DWORD   key1;
    DWORD   key2;
    WORD    tile_width;
    WORD    tile_height;
    DWORD   tile_length;
    DWORD   tile_params_unk_1: 3;
    DWORD   tile_params_compression: 1;
    DWORD   tile_params_unk_2: 28;
};
"""

dissect.target.plugins.os.windows.rdpcache.bitmap_def = Multiline-String

Show Value

"""
// https://stackoverflow.com/questions/20864752/how-is-defined-the-data-type-fxpt2dot30-in-the-bmp-file-structure
typedef LONG FXPT2DOT30;

// https://learn.microsoft.com/en-us/windows/win32/api/wingdi/ns-wingdi-ciexyz
struct CIEXYZ {
    FXPT2DOT30  ciexyzX;
    FXPT2DOT30  ciexyzY;
    FXPT2DOT30  ciexyzZ;
};

// https://learn.microsoft.com/en-us/windows/win32/api/wingdi/ns-wingdi-ciexyztriple
struct CIEXYZTRIPLE {
    CIEXYZ  ciexyzRed;
    CIEXYZ  ciexyzGreen;
    CIEXYZ  ciexyzBlue;
};

// https://learn.microsoft.com/en-us/windows/win32/api/wingdi/ns-wingdi-bitmapfileheader
struct BITMAPFILEHEADER {
    WORD    bfType;
    DWORD   bfSize;
    WORD    bfReserved1;
    WORD    bfReserved2;
    DWORD   bfOffBits;
};

// https://learn.microsoft.com/en-us/windows/win32/api/wingdi/ns-wingdi-bitmapv4header
struct BITMAPV4HEADER {
    DWORD           bV4Size;
    LONG            bV4Width;
    LONG            bV4Height;
    WORD            bV4Planes;
    WORD            bV4BitCount;
    DWORD           bV4V4Compression;
    DWORD           bV4SizeImage;
    LONG            bV4XPelsPerMeter;
    LONG            bV4YPelsPerMeter;
    DWORD           bV4ClrUsed;
    DWORD           bV4ClrImportant;
    DWORD           bV4RedMask;
    DWORD           bV4GreenMask;
    DWORD           bV4BlueMask;
    DWORD           bV4AlphaMask;
    DWORD           bV4CSType;
    CIEXYZTRIPLE    bV4Endpoints;
    DWORD           bV4GammaRed;
    DWORD           bV4GammaGreen;
    DWORD           bV4GammaBlue;
};
"""

dissect.target.plugins.os.windows.rdpcache.c_bitmap_cache

dissect.target.plugins.os.windows.rdpcache.c_bmp

dissect.target.plugins.os.windows.rdpcache.BMP_MAGIC

dissect.target.plugins.os.windows.rdpcache.BIN_MAGIC = b'RDP8bmp\x00'

dissect.target.plugins.os.windows.rdpcache.BMP_DATA_OFFSET

dissect.target.plugins.os.windows.rdpcache.LCS_WINDOWS_COLOR_SPACE

dissect.target.plugins.os.windows.rdpcache.EMPTY_LOGICAL_COLOR_SPACE

dissect.target.plugins.os.windows.rdpcache.EMPTY_PIXEL = b'\xff\xff\xff\x00'

dissect.target.plugins.os.windows.rdpcache.BORDER_PIXEL = b'\x80\x80\x80\xff'

dissect.target.plugins.os.windows.rdpcache.RDPCacheRecord

class dissect.target.plugins.os.windows.rdpcache.BitmapTile

width: int

height: int

colors: bytes

is_remnant: bool = False

dissect.target.plugins.os.windows.rdpcache.parse_color_data(data: bytes, reverse_rows: bool = False, row_width: int = 64) → bytes

Parse bitmap color data.

Optionally can reverse the row order of the bitmap data, which is useful when parsing a bitmap that is top-down when you want it to be bottom-up (like in .bin files). Assumes 32 bits-per-pixel.

dissect.target.plugins.os.windows.rdpcache.tile_to_bitmap(tile: BitmapTile) → bytes

Given a tile, convert it to a valid bitmap file.

dissect.target.plugins.os.windows.rdpcache.wrap_square_colors_in_border(colors: bytes, side_length: int, border_pixel: bytes, border_thickness: int) → bytes

Wrap color data in a colored-border.

dissect.target.plugins.os.windows.rdpcache.assemble_tiles_into_collage(tiles: list[BitmapTile], border_around_tile: int = 0) → BitmapTile

Assemble a list of tiles into one tile containing all color data.

dissect.target.plugins.os.windows.rdpcache.extract_bin(fh: BinaryIO) → collections.abc.Iterator[BitmapTile]

Extract bitmap tiles from a Cache000[1-4].bin bitmap cache file.

These files are found on modern Windows versions.

dissect.target.plugins.os.windows.rdpcache.extract_bmc(fh: BinaryIO) → collections.abc.Iterator[BitmapTile]

Extract bitmap cache from bmc files, which are typically found on older Windows versions.

class dissect.target.plugins.os.windows.rdpcache.RdpCachePlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin to extract the RDP Bitmap Cache from a Windows target.

References

• https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-017/

__namespace__ = 'rdpcache'

Defines the plugin namespace.

CACHE_PATH = 'AppData/Local/Microsoft/Terminal Server Client/Cache/'

GLOBS = ('Cache*.bin', 'bcache2*.bmc')

check_compatible() → None

At least one bitmap cache file with contents is necessary.

paths() → collections.abc.Iterator[RDPCacheRecord]

Yield paths and timestamps of RDP Cache bitmap files.

recover(output_dir: pathlib.Path, no_individual_tiles: bool, as_collage: bool, as_grid: bool, remnants: str) → None

Extract bitmaps from Windows’ RDP Client cache files.