dissect.target.plugins.os.windows.regf.appxdebugkeys¶
Module Contents¶
Classes¶
Plugin that iterates various AppX debug key locations. |
Attributes¶
- dissect.target.plugins.os.windows.regf.appxdebugkeys.AppxDebugKeyRecord¶
- class dissect.target.plugins.os.windows.regf.appxdebugkeys.AppxDebugKeysPlugin(target: dissect.target.target.Target)¶
Bases:
dissect.target.plugin.PluginPlugin that iterates various AppX debug key locations.
- REGKEY_GLOBS = ('HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\*',...¶
- check_compatible() None¶
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- appxdebugkeys() collections.abc.Iterator[AppxDebugKeyRecord]¶
Iterate various AppX debug key locations. See source for all locations.
AppX debug keys are registry keys that attach a debugger executable to Universal Windows Platform Apps (AppX). This debugger is executed when the program is launched and is often leveraged as a persistence mechanism.
References
Yields AppXDebugKeyRecords with fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The registry key last modified timestamp. name (string): The AppX debug key name. debug_info (string): The AppX debug info. regf_hive_path (string): The hive file that contains the registry key. regf_key_path (string): The key's full path in the registry. username (string): The name of the user this key belongs to. user_id (string): The id of the user this key belongs to. user_group (string): The group of the user this key belongs to. user_home (string): The home directory of the user this key belongs to.