Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Module shimcache
[frames] | no frames]

Module shimcache

source code

Shimcache plugin.

This code is based on work by:

# Authors: # Volatility Plugin Development # * Fred House - Mandiant, a FireEye Company # Twitter: @0xF2EDCA5A # # Windows Shimcache Analysis # * Andrew Davis - Mandiant, a FireEye Company # * Claudiu Teodorescu - FireEye Inc. # - Twitter: @cteo1

https://github.com/fireeye/Volatility-Plugins.git

and the paper: https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv/shim-shady-part-2.html

Classes
  ShimCacheMem
Extract the Application Compatibility Shim Cache from kernel memory.
Functions
 
AddShimProfiles(profile) source code
Variables
  shimcache_xp_x86 = {'SHIM_CACHE_ENTRY': [552, {'FileSize': [53...
  shimcache_win7_x64 = {'SHIM_CACHE_ENTRY': [None, {'BlobBuffer'...
  shimcache_win7_x86 = {'SHIM_CACHE_ENTRY': [None, {'BlobBuffer'...
  shimcache_win8_x64 = {'SHIM_CACHE_ENTRY': [None, {'ListEntry':...
  shimcache_win8_x86 = {'SHIM_CACHE_ENTRY': [None, {'ListEntry':...
  shimcache_win10_x86 = {'SHIM_CACHE_ENTRY': [None, {'ListEntry'...
  shimcache_win10_x64 = {'SHIM_CACHE_ENTRY': [None, {'ListEntry'...
  __package__ = 'rekall.plugins.windows'
Variables Details

shimcache_xp_x86

Value:
{'SHIM_CACHE_ENTRY': [552,
                      {'FileSize': [536, ['long long']],
                       'LastModified': [528, ['WinFileTime']],
                       'LastUpdate': [544, ['WinFileTime']],
                       'Path': [0, ['UnicodeString', {'length': 520}]]\
}],
 'SHIM_CACHE_HEADER': [None,
                       {'Entries': [400, ['Array', {'count': <function\
...

shimcache_win7_x64

Value:
{'SHIM_CACHE_ENTRY': [None,
                      {'BlobBuffer': [56, ['unsigned long']],
                       'BlobSize': [48, ['unsigned long long']],
                       'InsertFlags': [40, ['unsigned int']],
                       'LastModified': [32, ['WinFileTime']],
                       'ListEntry': [0, ['_LIST_ENTRY']],
                       'Path': [16, ['_UNICODE_STRING']],
                       'ShimFlags': [44, ['unsigned int']]}]}

shimcache_win7_x86

Value:
{'SHIM_CACHE_ENTRY': [None,
                      {'BlobBuffer': [36, ['unsigned long']],
                       'BlobSize': [32, ['unsigned long long']],
                       'InsertFlags': [24, ['unsigned int']],
                       'LastModified': [16, ['WinFileTime']],
                       'ListEntry': [0, ['_LIST_ENTRY']],
                       'Path': [8, ['_UNICODE_STRING']],
                       'ShimFlags': [28, ['unsigned int']]}]}

shimcache_win8_x64

Value:
{'SHIM_CACHE_ENTRY': [None,
                      {'ListEntry': [0, ['_LIST_ENTRY']],
                       'ListEntryDetail': [56,
                                           ['Pointer',
                                            {'target': 'SHIM_CACHE_ENT\
RY_DETAIL'}]],
                       'Path': [24, ['_UNICODE_STRING']]}],
 'SHIM_CACHE_ENTRY_DETAIL': [None, {'BlobBuffer': [32, ['unsigned long\
...

shimcache_win8_x86

Value:
{'SHIM_CACHE_ENTRY': [None,
                      {'ListEntry': [0, ['_LIST_ENTRY']],
                       'ListEntryDetail': [32,
                                           ['Pointer',
                                            {'target': 'SHIM_CACHE_ENT\
RY_DETAIL'}]],
                       'Path': [16, ['_UNICODE_STRING']]}],
 'SHIM_CACHE_ENTRY_DETAIL': [None, {'BlobBuffer': [20, ['unsigned long\
...

shimcache_win10_x86

Value:
{'SHIM_CACHE_ENTRY': [None,
                      {'ListEntry': [0, ['_LIST_ENTRY']],
                       'ListEntryDetail': [20,
                                           ['Pointer',
                                            {'target': 'SHIM_CACHE_ENT\
RY_DETAIL'}]],
                       'Path': [12, ['_UNICODE_STRING']]}],
 'SHIM_CACHE_ENTRY_DETAIL': [None, {'BlobBuffer': [20, ['unsigned long\
...

shimcache_win10_x64

Value:
{'SHIM_CACHE_ENTRY': [None,
                      {'ListEntry': [0, ['_LIST_ENTRY']],
                       'ListEntryDetail': [40,
                                           ['Pointer',
                                            {'target': 'SHIM_CACHE_ENT\
RY_DETAIL'}]],
                       'Path': [24, ['_UNICODE_STRING']]}],
 'SHIM_CACHE_ENTRY_DETAIL': [None, {'BlobBuffer': [24, ['unsigned long\
...

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:47 2017 http://epydoc.sourceforge.net