`dissect.target.plugins.os.windows.regf.shimcache`¶

Module Contents¶

Classes¶

`SHIMCACHE_WIN_TYPE`	Shimcache version mapping.
`ShimCache`
`ShimcachePlugin`	Shimcache plugin.

Functions¶

`win_10_path`
`win_8_path`
`nt52_entry_type`
`nt61_entry_type`

Attributes¶

`ShimcacheRecord`
`shim_def`
`c_shim`
`MAGIC_NT61`
`MAGIC_NT52`
`MAGIC_WIN81`
`MAGIC_WIN10`
`TYPE_VARIATIONS`
`ShimCacheGeneratorType`

dissect.target.plugins.os.windows.regf.shimcache.ShimcacheRecord¶

dissect.target.plugins.os.windows.regf.shimcache.shim_def = Multiline-String¶

Show Value

"""
struct NT61_HEADER {
    uint32 magic;
    uint32 num_entries;
};

struct NT61_64_ENTRY {
    uint16 len;
    uint16 maxlen;
    uint32 _align;
    uint64 offset;
    uint64 ts;
    uint32 fileflags;
    uint32 flags;
    uint64 blobsize;
    uint64 bloboffset;
};

struct NT52_HEADER {
    uint32 magic;
    uint32 num_entries;
};

struct NT52_ENTRY_32 {
    uint16 len;
    uint16 maxlen;
    uint32 offset;
    uint64 ts;
    uint64 filesize;
};


struct NT52_ENTRY_64 {
    uint16 len;
    uint16 maxlen;
    uint32 _padding;
    uint64 offset;
    uint64 ts;
    uint64 filesize;
};

struct WIN81_ENTRY {
    uint32 magic;
    uint32 crc;
    uint32 len;
    char data[len];
};

struct WIN81_ENTRY_DATA {
    uint16 path_len;
    wchar path[path_len/2];
    uint16 pkg_len;
    wchar pkg[pkg_len/2];
    uint32 flags;
    uint32 a;
    uint64 ts;
    uint32 b;
};

struct WIN81_ENTRY_DATA_SINGLE {
    uint16 path_len;
    wchar path[path_len/2];
    uint32 flags;
};

struct WIN10_ENTRY {
    uint32 magic;
    uint32 crc;
    uint32 len;
    char data[len];
};

struct WIN10_ENTRY_DATA {
    uint16 path_len;
    wchar path[path_len/2];
    uint64 ts;
};
"""

dissect.target.plugins.os.windows.regf.shimcache.c_shim¶

dissect.target.plugins.os.windows.regf.shimcache.MAGIC_NT61 = 3134984174¶

dissect.target.plugins.os.windows.regf.shimcache.MAGIC_NT52 = 3134984190¶

dissect.target.plugins.os.windows.regf.shimcache.MAGIC_WIN81 = 1936994353¶

dissect.target.plugins.os.windows.regf.shimcache.MAGIC_WIN10 = 1936994353¶

class dissect.target.plugins.os.windows.regf.shimcache.SHIMCACHE_WIN_TYPE¶

Bases: enum.IntEnum

Shimcache version mapping.

VERSION_WIN10_CREATORS = 4097¶

VERSION_WIN10 = 4096¶

VERSION_WIN81 = 2049¶

VERSION_NT61 = 1537¶

VERSION_NT52 = 1282¶

VERSION_WIN81_NO_HEADER = 4098¶

dissect.target.plugins.os.windows.regf.shimcache.win_10_path(ed: dissect.cstruct.Structure) → str¶

dissect.target.plugins.os.windows.regf.shimcache.win_8_path(ed: dissect.cstruct.Structure) → str¶

dissect.target.plugins.os.windows.regf.shimcache.nt52_entry_type(fh: bytes) → dissect.cstruct.Structure¶

dissect.target.plugins.os.windows.regf.shimcache.nt61_entry_type(fh: bytes) → dissect.cstruct.Structure¶

dissect.target.plugins.os.windows.regf.shimcache.TYPE_VARIATIONS¶

exception dissect.target.plugins.os.windows.regf.shimcache.CRCMismatchException(message: str | None = None, extra: list[Exception] | None = None)¶

Bases: dissect.target.exceptions.Error

Generic dissect.target error.

dissect.target.plugins.os.windows.regf.shimcache.ShimCacheGeneratorType¶

class dissect.target.plugins.os.windows.regf.shimcache.ShimCache(fh: io.BytesIO, ntversion: str, noheader: bool = False)¶

fh¶

ntversion¶

noheader = False¶

version¶

__iter__() → collections.abc.Iterator[ShimCacheGeneratorType]¶

identify() → SHIMCACHE_WIN_TYPE¶: Identify which SHIMCACHE version to use.

iter_win_8_plus(headers: tuple[dissect.cstruct.Structure, dissect.cstruct.Structure], offset: int, path_finder: collections.abc.Callable) → collections.abc.Iterator[ShimCacheGeneratorType]¶

iter_nt(header: dissect.cstruct.Structure, offset: int, header_function: collections.abc.Callable) → collections.abc.Iterator[tuple[datetime.datetime, str]]¶

class dissect.target.plugins.os.windows.regf.shimcache.ShimcachePlugin(target: dissect.target.target.Target)¶

Bases: dissect.target.plugin.Plugin

Shimcache plugin.

KEYS = ('HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache',...¶

check_compatible() → None¶

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

shimcache() → collections.abc.Iterator[ShimcacheRecord]¶

Return the shimcache.

The ShimCache or AppCompatCache stores registry keys related to properties from older Windows versions for compatibility purposes. Since it contains information about files such as the last modified date and the file size, it can be useful in forensic investigations.

References

https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/

Yields ShimcacheRecords with the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
last_modified (datetime): The last modified date.
name (string): The value name.
index (varint): The index of the entry.
path (uri): The parsed path.

dissect.target.plugins.os.windows.regf.shimcache¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`dissect.target.plugins.os.windows.regf.shimcache`¶