# Tweaked from https://github.com/mandiant/ShimCacheParser/commit/c4772b9dc72fd50ba210b7b0636c2d20bea68bc5
# ShimCacheParser.py
#
# Andrew Davis, andrew.davis@mandiant.com
# Copyright 2012 Mandiant
#
# Mandiant licenses this file to you under the Apache License, Version
# 2.0 (the "License"); you may not use this file except in compliance with the
# License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied. See the License for the specific language governing
# permissions and limitations under the License.
#
# Identifies and parses Application Compatibility Shim Cache entries for forensic data.
import sys
import struct
import zipfile
import argparse
import binascii
import datetime
import codecs
import cStringIO as sio
import xml.etree.cElementTree as et
from os import path
from csv import writer
# Values used by Windows 5.2 and 6.0 (Server 2003 through Vista/Server 2008)
CACHE_MAGIC_NT5_2 = 0xbadc0ffe
CACHE_HEADER_SIZE_NT5_2 = 0x8
NT5_2_ENTRY_SIZE32 = 0x18
NT5_2_ENTRY_SIZE64 = 0x20
# Values used by Windows 6.1 (Win7 and Server 2008 R2)
CACHE_MAGIC_NT6_1 = 0xbadc0fee
CACHE_HEADER_SIZE_NT6_1 = 0x80
NT6_1_ENTRY_SIZE32 = 0x20
NT6_1_ENTRY_SIZE64 = 0x30
CSRSS_FLAG = 0x2
# Values used by Windows 5.1 (WinXP 32-bit)
WINXP_MAGIC32 = 0xdeadbeef
WINXP_HEADER_SIZE32 = 0x190
WINXP_ENTRY_SIZE32 = 0x228
MAX_PATH = 520
# Values used by Windows 8
WIN8_STATS_SIZE = 0x80
WIN8_MAGIC = '00ts'
# Magic value used by Windows 8.1
WIN81_MAGIC = '10ts'
# Values used by Windows 10
WIN10_STATS_SIZE = 0x30
WIN10_CREATORS_STATS_SIZE = 0x34
WIN10_MAGIC = '10ts'
CACHE_HEADER_SIZE_NT6_4 = 0x30
CACHE_MAGIC_NT6_4 = 0x30
bad_entry_data = 'N/A'
g_verbose = False
g_usebom = False
output_header = ["Last Modified", "Last Update", "Path", "File Size", "Exec Flag"]
# Date Formats
DATE_MDY = "%m/%d/%y %H:%M:%S"
DATE_ISO = "%Y-%m-%d %H:%M:%S"
g_timeformat = DATE_ISO
# Shim Cache format used by Windows 5.2 and 6.0 (Server 2003 through Vista/Server 2008)
class CacheEntryNt5(object):
def __init__(self, is32bit, data=None):
self.is32bit = is32bit
if data != None:
self.update(data)
def update(self, data):
if self.is32bit:
entry = struct.unpack('<2H 3L 2L', data)
else:
entry = struct.unpack('<2H 4x Q 2L 2L', data)
self.wLength = entry[0]
self.wMaximumLength = entry[1]
self.Offset = entry[2]
self.dwLowDateTime = entry[3]
self.dwHighDateTime = entry[4]
self.dwFileSizeLow = entry[5]
self.dwFileSizeHigh = entry[6]
def size(self):
if self.is32bit:
return NT5_2_ENTRY_SIZE32
else:
return NT5_2_ENTRY_SIZE64
# Shim Cache format used by Windows 6.1 (Win7 through Server 2008 R2)
class CacheEntryNt6(object):
def __init__(self, is32bit, data=None):
self.is32bit = is32bit
if data != None:
self.update(data)
def update(self, data):
if self.is32bit:
entry = struct.unpack('<2H 7L', data)
else:
entry = struct.unpack('<2H 4x Q 4L 2Q', data)
self.wLength = entry[0]
self.wMaximumLength = entry[1]
self.Offset = entry[2]
self.dwLowDateTime = entry[3]
self.dwHighDateTime = entry[4]
self.FileFlags = entry[5]
self.Flags = entry[6]
self.BlobSize = entry[7]
self.BlobOffset = entry[8]
def size(self):
if self.is32bit:
return NT6_1_ENTRY_SIZE32
else:
return NT6_1_ENTRY_SIZE64
# Convert FILETIME to datetime.
# Based on http://code.activestate.com/recipes/511425-filetime-to-datetime/
def convert_filetime(dwLowDateTime, dwHighDateTime):
try:
date = datetime.datetime(1601, 1, 1, 0, 0, 0)
temp_time = dwHighDateTime
temp_time <<= 32
temp_time |= dwLowDateTime
return date + datetime.timedelta(microseconds=temp_time/10)
except OverflowError, err:
return None
# Return a unique list while preserving ordering.
def unique_list(li):
ret_list = []
for entry in li:
if entry not in ret_list:
ret_list.append(entry)
return ret_list
# Write the Log.
def write_it(rows, outfile=None, quiet=True):
try:
if not rows:
print "[-] No data to write..."
return
if not outfile:
for row in rows:
print " ".join(["%s"%x for x in row])
else:
if not quiet: print "[+] Writing output to %s..."%outfile
try:
if "StringIO" in outfile:
return_rows = []
for row in rows:
return_rows.append(",".join(["%s" % x for x in row]))
return return_rows
else:
f = open(outfile, 'wb')
if g_usebom:
f.write(codecs.BOM_UTF8)
csv_writer = writer(f, delimiter=',')
csv_writer.writerows(rows)
f.close()
except IOError, err:
print "[-] Error writing output file: %s" % str(err)
return
except UnicodeEncodeError, err:
print "[-] Error writing output file: %s" % str(err)
return
# Read the Shim Cache format, return a list of last modified dates/paths.
def read_cache(cachebin, quiet=False):
if len(cachebin) < 16:
# Data size less than minimum header size.
return None
try:
# Get the format type
magic = struct.unpack("<L", cachebin[0:4])[0]
# This is a Windows 2k3/Vista/2k8 Shim Cache format,
if magic == CACHE_MAGIC_NT5_2:
# Shim Cache types can come in 32-bit or 64-bit formats. We can
# determine this because 64-bit entries are serialized with u_int64
# pointers. This means that in a 64-bit entry, valid UNICODE_STRING
# sizes are followed by a NULL DWORD. Check for this here.
test_size = struct.unpack("<H", cachebin[8:10])[0]
test_max_size = struct.unpack("<H", cachebin[10:12])[0]
if (test_max_size-test_size == 2 and
struct.unpack("<L", cachebin[12:16])[0] ) == 0:
if not quiet:
print "[+] Found 64bit Windows 2k3/Vista/2k8 Shim Cache data..."
entry = CacheEntryNt5(False)
return read_nt5_entries(cachebin, entry)
# Otherwise it's 32-bit data.
else:
if not quiet:
print "[+] Found 32bit Windows 2k3/Vista/2k8 Shim Cache data..."
entry = CacheEntryNt5(True)
return read_nt5_entries(cachebin, entry)
# This is a Windows 7/2k8-R2 Shim Cache.
elif magic == CACHE_MAGIC_NT6_1:
test_size = (struct.unpack("<H",
cachebin[CACHE_HEADER_SIZE_NT6_1:
CACHE_HEADER_SIZE_NT6_1 + 2])[0])
test_max_size = (struct.unpack("<H", cachebin[CACHE_HEADER_SIZE_NT6_1+2:
CACHE_HEADER_SIZE_NT6_1 + 4])[0])
# Shim Cache types can come in 32-bit or 64-bit formats.
# We can determine this because 64-bit entries are serialized with
# u_int64 pointers. This means that in a 64-bit entry, valid
# UNICODE_STRING sizes are followed by a NULL DWORD. Check for this here.
if (test_max_size-test_size == 2 and
struct.unpack("<L", cachebin[CACHE_HEADER_SIZE_NT6_1+4:
CACHE_HEADER_SIZE_NT6_1 + 8])[0] ) == 0:
if not quiet:
print "[+] Found 64bit Windows 7/2k8-R2 Shim Cache data..."
entry = CacheEntryNt6(False)
return read_nt6_entries(cachebin, entry)
else:
if not quiet:
print "[+] Found 32bit Windows 7/2k8-R2 Shim Cache data..."
entry = CacheEntryNt6(True)
return read_nt6_entries(cachebin, entry)
# This is WinXP cache data
elif magic == WINXP_MAGIC32:
if not quiet:
print "[+] Found 32bit Windows XP Shim Cache data..."
return read_winxp_entries(cachebin)
# Check the data set to see if it matches the Windows 8 format.
elif len(cachebin) > WIN8_STATS_SIZE and cachebin[WIN8_STATS_SIZE:WIN8_STATS_SIZE+4] == WIN8_MAGIC:
if not quiet:
print "[+] Found Windows 8/2k12 Apphelp Cache data..."
return read_win8_entries(cachebin, WIN8_MAGIC)
# Windows 8.1 will use a different magic dword, check for it
elif len(cachebin) > WIN8_STATS_SIZE and cachebin[WIN8_STATS_SIZE:WIN8_STATS_SIZE+4] == WIN81_MAGIC:
if not quiet:
print "[+] Found Windows 8.1 Apphelp Cache data..."
return read_win8_entries(cachebin, WIN81_MAGIC)
# Windows 10 will use a different magic dword, check for it
elif len(cachebin) > WIN10_STATS_SIZE and cachebin[WIN10_STATS_SIZE:WIN10_STATS_SIZE+4] == WIN10_MAGIC:
if not quiet:
print "[+] Found Windows 10 Apphelp Cache data..."
return read_win10_entries(cachebin, WIN10_MAGIC)
# Windows 10 Creators Update will use a different STATS_SIZE, account for it
elif len(cachebin) > WIN10_CREATORS_STATS_SIZE and cachebin[WIN10_CREATORS_STATS_SIZE:WIN10_CREATORS_STATS_SIZE+4] == WIN10_MAGIC:
if not quiet:
print "[+] Found Windows 10 Creators Update Apphelp Cache data..."
return read_win10_entries(cachebin, WIN10_MAGIC, creators_update=True)
else:
print "[-] Got an unrecognized magic value of 0x%x... bailing" % magic
return None
except (RuntimeError, TypeError, NameError), err:
print "[-] Error reading Shim Cache data: %s" % err
return None
# Read Windows 8/2k12/8.1 Apphelp Cache entry formats.
def read_win8_entries(bin_data, ver_magic):
offset = 0
entry_meta_len = 12
entry_list = []
# Skip past the stats in the header
cache_data = bin_data[WIN8_STATS_SIZE:]
data = sio.StringIO(cache_data)
while data.tell() < len(cache_data):
header = data.read(entry_meta_len)
# Read in the entry metadata
# Note: the crc32 hash is of the cache entry data
magic, crc32_hash, entry_len = struct.unpack('<4sLL', header)
# Check the magic tag
if magic != ver_magic:
raise Exception("Invalid version magic tag found: 0x%x" % struct.unpack("<L", magic)[0])
entry_data = sio.StringIO(data.read(entry_len))
# Read the path length
path_len = struct.unpack('<H', entry_data.read(2))[0]
if path_len == 0:
path = 'None'
else:
path = entry_data.read(path_len).decode('utf-16le', 'replace').encode('utf-8')
# Check for package data
package_len = struct.unpack('<H', entry_data.read(2))[0]
if package_len > 0:
# Just skip past the package data if present (for now)
entry_data.seek(package_len, 1)
# Read the remaining entry data
flags, unk_1, low_datetime, high_datetime, unk_2 = struct.unpack('<LLLLL', entry_data.read(20))
# Check the flag set in CSRSS
if (flags & CSRSS_FLAG):
exec_flag = 'True'
else:
exec_flag = 'False'
last_mod_date = convert_filetime(low_datetime, high_datetime)
try:
last_mod_date = last_mod_date.strftime(g_timeformat)
except ValueError:
last_mod_date = bad_entry_data
row = [last_mod_date, 'N/A', path, 'N/A', exec_flag]
entry_list.append(row)
return entry_list
# Read Windows 10 Apphelp Cache entry format
def read_win10_entries(bin_data, ver_magic, creators_update=False):
offset = 0
entry_meta_len = 12
entry_list = []
# Skip past the stats in the header
if creators_update:
cache_data = bin_data[WIN10_CREATORS_STATS_SIZE:]
else:
cache_data = bin_data[WIN10_STATS_SIZE:]
data = sio.StringIO(cache_data)
while data.tell() < len(cache_data):
header = data.read(entry_meta_len)
# Read in the entry metadata
# Note: the crc32 hash is of the cache entry data
magic, crc32_hash, entry_len = struct.unpack('<4sLL', header)
# Check the magic tag
if magic != ver_magic:
raise Exception("Invalid version magic tag found: 0x%x" % struct.unpack("<L", magic)[0])
entry_data = sio.StringIO(data.read(entry_len))
# Read the path length
path_len = struct.unpack('<H', entry_data.read(2))[0]
if path_len == 0:
path = 'None'
else:
path = entry_data.read(path_len).decode('utf-16le', 'replace').encode('utf-8')
# Read the remaining entry data
low_datetime, high_datetime = struct.unpack('<LL', entry_data.read(8))
last_mod_date = convert_filetime(low_datetime, high_datetime)
try:
last_mod_date = last_mod_date.strftime(g_timeformat)
except ValueError:
last_mod_date = bad_entry_data
# Skip the unrecognized Microsoft App entry format for now
if last_mod_date == bad_entry_data:
continue
row = [last_mod_date, 'N/A', path, 'N/A', 'N/A']
entry_list.append(row)
return entry_list
# Read Windows 2k3/Vista/2k8 Shim Cache entry formats.
def read_nt5_entries(bin_data, entry):
try:
entry_list = []
contains_file_size = False
entry_size = entry.size()
exec_flag = ''
num_entries = struct.unpack('<L', bin_data[4:8])[0]
if num_entries == 0:
return None
# On Windows Server 2008/Vista, the filesize is swapped out of this
# structure with two 4-byte flags. Check to see if any of the values in
# "dwFileSizeLow" are larger than 2-bits. This indicates the entry contained file sizes.
for offset in xrange(CACHE_HEADER_SIZE_NT5_2, (num_entries * entry_size) + CACHE_HEADER_SIZE_NT5_2,
entry_size):
entry.update(bin_data[offset:offset+entry_size])
if entry.dwFileSizeLow > 3:
contains_file_size = True
break
# Now grab all the data in the value.
for offset in xrange(CACHE_HEADER_SIZE_NT5_2, (num_entries * entry_size) + CACHE_HEADER_SIZE_NT5_2,
entry_size):
entry.update(bin_data[offset:offset+entry_size])
last_mod_date = convert_filetime(entry.dwLowDateTime, entry.dwHighDateTime)
try:
last_mod_date = last_mod_date.strftime(g_timeformat)
except ValueError:
last_mod_date = bad_entry_data
path = bin_data[entry.Offset:entry.Offset + entry.wLength].decode('utf-16le', 'replace').encode('utf-8')
path = path.replace("\\??\\", "")
# It contains file size data.
if contains_file_size:
hit = [last_mod_date, 'N/A', path, str(entry.dwFileSizeLow), 'N/A']
if hit not in entry_list:
entry_list.append(hit)
# It contains flags.
else:
# Check the flag set in CSRSS
if (entry.dwFileSizeLow & CSRSS_FLAG):
exec_flag = 'True'
else:
exec_flag = 'False'
hit = [last_mod_date, 'N/A', path, 'N/A', exec_flag]
if hit not in entry_list:
entry_list.append(hit)
return entry_list
except (RuntimeError, ValueError, NameError), err:
print "[-] Error reading Shim Cache data: %s..." % err
return None
# Read the Shim Cache Windows 7/2k8-R2 entry format,
# return a list of last modifed dates/paths.
def read_nt6_entries(bin_data, entry):
try:
entry_list = []
exec_flag = ""
entry_size = entry.size()
num_entries = struct.unpack('<L', bin_data[4:8])[0]
if num_entries == 0:
return None
# Walk each entry in the data structure.
for offset in xrange(CACHE_HEADER_SIZE_NT6_1,
num_entries*entry_size + CACHE_HEADER_SIZE_NT6_1,
entry_size):
entry.update(bin_data[offset:offset+entry_size])
last_mod_date = convert_filetime(entry.dwLowDateTime,
entry.dwHighDateTime)
try:
last_mod_date = last_mod_date.strftime(g_timeformat)
except ValueError:
last_mod_date = 'N/A'
path = (bin_data[entry.Offset:entry.Offset +
entry.wLength].decode('utf-16le','replace').encode('utf-8'))
path = path.replace("\\??\\", "")
# Test to see if the file may have been executed.
if (entry.FileFlags & CSRSS_FLAG):
exec_flag = 'True'
else:
exec_flag = 'False'
hit = [last_mod_date, 'N/A', path, 'N/A', exec_flag]
if hit not in entry_list:
entry_list.append(hit)
return entry_list
except (RuntimeError, ValueError, NameError), err:
print '[-] Error reading Shim Cache data: %s...' % err
return None
# Read the WinXP Shim Cache data. Some entries can be missing data but still
# contain useful information, so try to get as much as we can.
def read_winxp_entries(bin_data):
entry_list = []
try:
num_entries = struct.unpack('<L', bin_data[8:12])[0]
if num_entries == 0:
return None
for offset in xrange(WINXP_HEADER_SIZE32,
(num_entries*WINXP_ENTRY_SIZE32) + WINXP_HEADER_SIZE32, WINXP_ENTRY_SIZE32):
# No size values are included in these entries, so search for utf-16 terminator.
path_len = bin_data[offset:offset+(MAX_PATH + 8)].find("\x00\x00")
# if path is corrupt, procede to next entry.
if path_len == 0:
continue
path = bin_data[offset:offset+path_len + 1].decode('utf-16le').encode('utf-8')
# Clean up the pathname.
path = path.replace('\\??\\', '')
if len(path) == 0: continue
entry_data = (offset+(MAX_PATH+8))
# Get last mod time.
last_mod_time = struct.unpack('<2L', bin_data[entry_data:entry_data+8])
try:
last_mod_time = convert_filetime(last_mod_time[0],
last_mod_time[1]).strftime(g_timeformat)
except ValueError:
last_mod_time = 'N/A'
# Get last file size.
file_size = struct.unpack('<2L', bin_data[entry_data + 8:entry_data + 16])[0]
if file_size == 0:
file_size = bad_entry_data
# Get last update time.
exec_time = struct.unpack('<2L', bin_data[entry_data + 16:entry_data + 24])
try:
exec_time = convert_filetime(exec_time[0],
exec_time[1]).strftime(g_timeformat)
except ValueError:
exec_time = bad_entry_data
hit = [last_mod_time, exec_time, path, file_size, 'N/A']
if hit not in entry_list:
entry_list.append(hit)
return entry_list
except (RuntimeError, ValueError, NameError), err:
print "[-] Error reading Shim Cache data %s" % err
return None
def validateSystemFile(fileFullPath):
# Check for dependencies.
try:
from Registry import Registry
except ImportError:
print "[-] Hive parsing requires Registry.py... Didn\'t find it, bailing..."
return False
try:
reg = Registry.Registry(fileFullPath)
except Registry.RegistryParse.ParseException, err:
print "[-] Error parsing %s: %s" % (fileFullPath, err)
return False
root = reg.root().subkeys()
for key in root:
# Check each ControlSet.
try:
if 'controlset' in key.name().lower():
session_man_key = reg.open('%s\\Control\\Session Manager' % key.name())
except Registry.RegistryKeyNotFoundException:
continue
root = reg.root().subkeys()
try:
tmp = reg.root().name()
session_man_key = reg.open('ControlSet001\\Control')
# session_man_key = reg.open('%s\\ControlSet001\\Control\\Session Manager' % reg.root().name())
return True
except Registry.RegistryKeyNotFoundException:
return False
# Get Shim Cache data from a registry hive.
def read_from_hive(hive, quiet=False):
out_list = []
tmp_list = []
# Check for dependencies.
try:
from Registry import Registry
except ImportError:
print "[-] Hive parsing requires Registry.py... Didn\'t find it, bailing..."
sys.exit(2)
try:
reg = Registry.Registry(hive)
except Registry.RegistryParse.ParseException, err:
print "[-] Error parsing %s: %s" % (hive, err)
sys.exit(1)
# Partial hive
partial_hive_path = ('Session Manager', 'AppCompatCache', 'AppCompatibility')
if reg.root().path() in partial_hive_path:
if reg.root().path() == 'Session Manager':
# Only Session Manager
# For example extracted with: reg save "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" "c:\temp\SessionManager.hve" /y
print "[+] Partial hive -- 'Session Manager'"
if reg.root().find_key('AppCompatCache').values():
print "[+] Partial hive -- 'AppCompatCache' or 'AppCompatibility'"
keys = reg.root().find_key('AppCompatCache').values()
else:
# Partial hive AppCompatCache or AppCompatibility
# reg save "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" "c:\temp\appCompatCache.hve" /y
# reg save "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility" "c:\temp\AppCompatibility.hve" /y
keys = reg.root().values()
for k in keys:
bin_data = str(k.value())
tmp_list = read_cache(bin_data)
if tmp_list:
for row in tmp_list:
if g_verbose:
row.append(k.name())
if row not in out_list:
out_list.append(row)
else:
# Complete hive
root = reg.root().subkeys()
for key in root:
# Check each ControlSet.
try:
if 'controlset' in key.name().lower():
session_man_key = reg.open('%s\\Control\\Session Manager' % key.name())
for subkey in session_man_key.subkeys():
# Read the Shim Cache structure.
if ('appcompatibility' in subkey.name().lower() or
'appcompatcache' in subkey.name().lower()):
bin_data = str(subkey['AppCompatCache'].value())
tmp_list = read_cache(bin_data, quiet)
if tmp_list:
for row in tmp_list:
if g_verbose:
row.append(subkey.path())
if row not in out_list:
out_list.append(row)
except Registry.RegistryKeyNotFoundException:
continue
if len(out_list) == 0:
return None
else:
# Add the header and return the list including duplicates.
if g_verbose:
out_list.insert(0, output_header + ['Key Path'])
return out_list
else:
# Only return unique entries.
out_list = unique_list(out_list)
out_list.insert(0, output_header)
return out_list
# Get Shim Cache data from MIR registry output file.
def read_mir(xml_file, quiet=False):
out_list = []
tmp_list = []
error = ""
# Open the MIR output file.
try:
for (_, reg_item) in et.iterparse(xml_file, events=('end',)):
if reg_item.tag != 'RegistryItem':
continue
path_name = reg_item.find("Path").text
if not path_name:
print "[-] Error XML missing Path"
print et.tostring(reg_item)
reg_item.clear()
continue
path_name = path_name.lower()
# Check to see that we have the right registry value.
if 'control\\session manager\\appcompatcache\\appcompatcache' in path_name \
or 'control\\session manager\\appcompatibility\\appcompatcache' in path_name:
# return the base64 decoded value data.
bin_data = binascii.a2b_base64(reg_item.find('Value').text)
tmp_list = read_cache(bin_data, quiet)
if tmp_list:
for row in tmp_list:
if g_verbose:
row.append(path_name)
if row not in out_list:
out_list.append(row)
reg_item.clear()
except (AttributeError, TypeError, IOError), err:
error = "[-] Error reading MIR XML: %s" % str(err)
print error
return (error, None)
if len(out_list) == 0:
return (error, None)
else:
# Add the header and return the list.
if g_verbose:
out_list.insert(0, output_header + ['Key Path'])
else:
# Only return unique entries.
out_list = unique_list(out_list)
out_list.insert(0, output_header)
return (error, out_list)
# Get Shim Cache data from .reg file.
# Finds the first key named "AppCompatCache" and parses the
# Hex data that immediately follows. It's a brittle parser,
# but the .reg format doesn't change too often.
def read_from_reg(reg_file, quiet=False):
out_list = []
if not path.exists(reg_file):
return None
f = open(reg_file, 'rb')
file_contents = f.read()
f.close()
try:
file_contents = file_contents.decode('utf-16')
except:
pass #.reg file should be UTF-16, if it's not, it might be ANSI, which is not fully supported here.
if not file_contents.startswith('Windows Registry Editor'):
print "[-] Unable to properly decode .reg file: %s" % reg_file
return None
path_name = None
relevant_lines = []
found_appcompat = False
appcompat_keys = 0
for line in file_contents.split("\r\n"):
if '\"appcompatcache\"=hex:' in line.lower():
relevant_lines.append(line.partition(":")[2])
found_appcompat = True
elif '\\appcompatcache]' in line.lower() or '\\appcompatibility]' in line.lower():
# The Registry path is not case sensitive. Case will depend on export parameter.
path_name = line.partition('[')[2].partition(']')[0]
appcompat_keys += 1
elif found_appcompat and "," in line and '\"' not in line:
relevant_lines.append(line)
elif found_appcompat and (len(line) == 0 or '\"' in line):
# begin processing a block
hex_str = "".join(relevant_lines).replace('\\', '').replace(' ', '').replace(',', '')
bin_data = binascii.unhexlify(hex_str)
tmp_list = read_cache(bin_data, quiet)
if tmp_list:
for row in tmp_list:
if g_verbose:
row.append(path_name)
if row not in out_list:
out_list.append(row)
# reset variables for next block
found_appcompat = False
path_name = None
relevant_lines = []
break
if appcompat_keys <= 0:
print "[-] Unable to find value in .reg file: %s" % reg_file
return None
if len(out_list) == 0:
return None
else:
# Add the header and return the list.
if g_verbose:
out_list.insert(0, output_header + ['Key Path'])
return out_list
else:
# Only return unique entries.
out_list = unique_list(out_list)
out_list.insert(0, output_header)
return out_list
# Acquire the current system's Shim Cache data.
def get_local_data():
tmp_list = []
out_list = []
global g_verbose
try:
import _winreg as reg
except ImportError:
print "[-] \'winreg.py\' not found... Is this a Windows system?"
sys.exit(1)
hReg = reg.ConnectRegistry(None, reg.HKEY_LOCAL_MACHINE)
hSystem = reg.OpenKey(hReg, r'SYSTEM')
for i in xrange(1024):
try:
control_name = reg.EnumKey(hSystem, i)
if 'controlset' in control_name.lower():
hSessionMan = reg.OpenKey(hReg,
'SYSTEM\\%s\\Control\\Session Manager' % control_name)
for i in xrange(1024):
try:
subkey_name = reg.EnumKey(hSessionMan, i)
if ('appcompatibility' in subkey_name.lower()
or 'appcompatcache' in subkey_name.lower()):
appcompat_key = reg.OpenKey(hSessionMan, subkey_name)
bin_data = reg.QueryValueEx(appcompat_key,
'AppCompatCache')[0]
tmp_list = read_cache(bin_data)
if tmp_list:
path_name = 'SYSTEM\\%s\\Control\\Session Manager\\%s' % (control_name, subkey_name)
for row in tmp_list:
if g_verbose:
row.append(path_name)
if row not in out_list:
out_list.append(row)
except EnvironmentError:
break
except EnvironmentError:
break
if len(out_list) == 0:
return None
else:
#Add the header and return the list.
if g_verbose:
out_list.insert(0, output_header + ['Key Path'])
return out_list
else:
#Only return unique entries.
out_list = unique_list(out_list)
out_list.insert(0, output_header)
return out_list
# Read a MIR XML zip archive.
def read_zip(zip_name):
zip_contents = []
tmp_list = []
final_list = []
out_list = []
hostname = ""
try:
# Open the zip archive.
archive = zipfile.ZipFile(zip_name)
for zip_file in archive.infolist():
zip_contents.append(zip_file.filename)
print "[+] Processing %d registry acquisitions..." % len(zip_contents)
for item in zip_contents:
try:
if '_w32registry.xml' not in item:
continue
filename = item.split('/')
if len(filename) > 0:
filename = filename.pop()
else:
continue
# Get the hostname from the MIR xml filename.
hostname = '-'.join(filename.split('-')[:-3])
xml_file = archive.open(item)
# Catch possibly corrupt MIR XML data.
try:
out_list = read_mir(xml_file, quiet=True)
except(struct.error, et.ParseError), err:
print "[-] Error reading XML data from host: %s, data looks corrupt. Continuing..." % hostname
continue
# Add the hostname to the entry list.
if not out_list or len(out_list) == 0:
continue
else:
for li in out_list:
if "Last Modified" not in li[0]:
li.insert(0, hostname)
final_list.append(li)
except IOError, err:
print "[-] Error opening file: %s in MIR archive: %s" % (item, err)
continue
# Add the final header.
final_list.insert(0, ("Hostname", "Last Modified", "Last Update",
"Path", "File Size", "File Executed", "Key Path"))
return final_list
except (IOError, zipfile.BadZipfile, struct.error), err:
print "[-] Error reading zip archive: %s" % zip_name
return None
# Do the work.
def main(argv=[]):
global g_verbose
global g_timeformat
global g_usebom
parser = argparse.ArgumentParser(description="Parses Application Compatibilty Shim Cache data")
parser.add_argument("-v", "--verbose", action="store_true",
help="Toggles verbose output")
parser.add_argument("-t","--isotime", action="store_const", dest="timeformat", const=DATE_ISO, default=DATE_MDY,
help="Use YYYY-MM-DD ISO format instead of MM/DD/YY default")
parser.add_argument("-B", "--bom", action="store_true", help="Write UTF8 BOM to CSV for easier Excel 2007+ import")
group = parser.add_argument_group()
group.add_argument("-o", "--out", metavar="FILE", help="Writes to CSV data to FILE (default is STDOUT)")
group = parser.add_mutually_exclusive_group()
group.add_argument("-l", "--local", action="store_true", help="Reads data from local system")
group.add_argument("-b", "--bin", metavar="BIN", help="Reads data from a binary BIN file")
group.add_argument("-m", "--mir", metavar="XML", help="Reads data from a MIR XML file")
group.add_argument("-z", "--zip", metavar="ZIP", help="Reads ZIP file containing MIR registry acquisitions")
group.add_argument("-i", "--hive", metavar="HIVE", help="Reads data from a registry reg HIVE")
group.add_argument("-r", "--reg", metavar="REG", help="Reads data from a .reg registry export file")
args = parser.parse_args(argv[1:])
if args.verbose:
g_verbose = True
# Set date/time format
g_timeformat = args.timeformat
# Enable UTF8 Byte Order Mark (BOM) so Excel imports correctly
if args.bom:
g_usebom = True
# Pull Shim Cache MIR XML.
if args.mir:
print "[+] Reading MIR output XML file: %s..." % args.mir
try:
with file(args.mir, 'rb') as xml_data:
entries = read_mir(xml_data)
if not entries:
print "[-] No Shim Cache entries found..."
return
else:
write_it(entries, args.out)
except IOError, err:
print "[-] Error opening binary file: %s" % str(err)
return
# Process a MIR XML ZIP archive
elif args.zip:
print "[+] Reading MIR XML zip archive: %s..." % args.zip
entries = read_zip(args.zip)
if not entries:
print "[-] No Shim Cache entries found..."
else:
write_it(entries, args.out)
# Read the binary file.
elif args.bin:
print "[+] Reading binary file: %s..." % args.bin
try:
with file(args.bin, 'rb') as bin_data:
bin_data = bin_data.read()
except IOError, err:
print "[-] Error opening binary file: %s" % str(err)
return
entries = read_cache(bin_data)
if not entries:
print "[-] No Shim Cache entries found..."
else:
write_it(entries, args.out)
# Read the key data from a registry hive.
elif args.reg:
print "[+] Reading .reg file: %s..." % args.reg
entries = read_from_reg(args.reg)
if not entries:
print "[-] No Shim Cache entries found..."
else:
write_it(entries, args.out)
elif args.hive:
print "[+] Reading registry hive: %s..." % args.hive
try:
entries = read_from_hive(args.hive)
if not entries:
print "[-] No Shim Cache entries found..."
else:
write_it(entries, args.out)
except IOError, err:
print "[-] Error opening hive file: %s" % str(err)
return
# Read the local Shim Cache data from the current system
elif args.local:
print "[+] Dumping Shim Cache data from the current system..."
entries = get_local_data()
if not entries:
print "[-] No Shim Cache entries found..."
else:
write_it(entries, args.out)
if __name__ == '__main__':
main(sys.argv)
