dissect.target.plugins.os.windows.regf.appxdebugkeys#
Module Contents#
Classes#
Plugin that iterates various AppX debug key locations |
Attributes#
- dissect.target.plugins.os.windows.regf.appxdebugkeys.AppxDebugKeyRecord#
- class dissect.target.plugins.os.windows.regf.appxdebugkeys.AppxDebugKeysPlugin(target: dissect.target.Target)#
Bases:
dissect.target.plugin.PluginPlugin that iterates various AppX debug key locations
- REGKEY_GLOBS = ['HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\*',...#
- check_compatible() None#
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- appxdebugkeys() Iterator[AppxDebugKeyRecord]#
Iterate various AppX debug key locations. See source for all locations.
AppX debug keys are registry keys that attach a debugger executable to Universal Windows Platform Apps (AppX). This debugger is executed when the program is launched and is often leveraged as a persistence mechanism.
References
- Yields AppXDebugKeyRecords with fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The registry key last modified timestamp. name (string): The AppX debug key name. debug_info (string): The AppX debug info. regf_hive_path (string): The hive file that contains the registry key. regf_key_path (string): The key’s full path in the registry. username (string): The name of the user this key belongs to. user_id (string): The id of the user this key belongs to. user_group (string): The group of the user this key belongs to. user_home (string): The home directory of the user this key belongs to.