Add MUIcache plugin (#87)

Zawadidone · web-flow · commit 156eb61b0961 · 2022-12-05T16:22:38.000+01:00
diff --git a/dissect/target/plugins/os/windows/regf/muicache.py b/dissect/target/plugins/os/windows/regf/muicache.py
@@ -0,0 +1,94 @@
+from typing import Generator
+
+from flow.record.fieldtypes import path
+
+from dissect.target.helpers.descriptor_extensions import (
+    UserRecordDescriptorExtension,
+    RegistryRecordDescriptorExtension,
+)
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.helpers.regutil import RegistryKey
+from dissect.target.plugin import Plugin, export
+
+MuiCacheRecord = create_extended_descriptor([RegistryRecordDescriptorExtension, UserRecordDescriptorExtension])(
+    "windows/registry/muicache",
+    [
+        ("varint", "index"),
+        ("string", "name"),
+        ("string", "value"),
+        ("path", "path"),
+    ],
+)
+
+
+class MuiCachePlugin(Plugin):
+    """Plugin that iterates various MUIcache locations."""
+
+    KEYS = [
+        "HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache",  # NT >= 6.0
+        "HKCU\\Software\\Classes\\Local Settings\\MuiCache",  # NT >= 6.0
+        "HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache",  # NT < 6.0
+    ]
+
+    FIELD_NAMES = ("FriendlyAppName", "ApplicationCompany")
+
+    def check_compatible(self) -> bool:
+        return len(list(self.target.registry.keys(self.KEYS)))
+
+    @export(record=MuiCacheRecord)
+    def muicache(self) -> MuiCacheRecord:
+        """Iterate various MUIcache key locations.
+
+        The MUIcache registry key stores information about executed GUI-based programs. The key is part of
+        the Multilingual User Interface service in Windows. MUIcache references the file description contained within
+        the executable's resource section and populates that value.
+
+        Sources:
+            - https://www.magnetforensics.com/blog/forensic-analysis-of-muicache-files-in-windows/
+            - https://forensafe.com/blogs/muicache.html
+
+        Yields MuiCacheRecords with fields:
+            hostname (string): The target hostname.
+            domain (string): The target domain.
+            index (varint): The index of the entry.
+            name (string): The value name.
+            value (string): The value.
+            path (path): The executable path.
+        """
+        for reg_path in self.KEYS:
+            for key in self.target.registry.keys(reg_path):
+                if len(key.subkeys()):
+                    for subkey in key.subkeys():
+                        for item in subkey.subkeys():
+                            yield from self._get_records(item)
+                else:
+                    yield from self._get_records(key)
+
+    def _get_records(self, key: RegistryKey) -> Generator[MuiCacheRecord, None, None]:
+        for index, entry in enumerate(key.values()):
+            user = self.target.registry.get_user(key)
+            try:
+                if entry.name.endswith(self.FIELD_NAMES):
+                    entry_path, name = entry.name.rsplit(".", 1)
+                else:
+                    name = None
+                    entry_path = entry.name.rsplit(",-", 1)[0]
+
+                # Filter on the type of the registry value
+                if isinstance(entry.value, bytes):
+                    continue
+
+                yield MuiCacheRecord(
+                    index=index,
+                    name=name,
+                    value=entry.value,
+                    path=path.from_windows(entry_path),
+                    _target=self.target,
+                    _key=key,
+                    _user=user,
+                )
+            except ValueError:
+                continue
+            except Exception:
+                self.target.log.exception("Exception while parsing muicache")
+                continue
diff --git a/tests/test_plugins_os_windows_regf_muicache.py b/tests/test_plugins_os_windows_regf_muicache.py
@@ -0,0 +1,65 @@
+from dissect.target.helpers.regutil import VirtualKey, VirtualValue
+from dissect.target.plugins.os.windows.regf.muicache import MuiCachePlugin
+
+
+def test_muicache_plugin(target_win_users, hive_hku):
+    # NT >= 6.0
+    muicache_shell_key = VirtualKey(
+        hive_hku,
+        "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache",
+    )
+    muicache_shell_key.add_value("LangID", VirtualValue(hive_hku, "LangID", b"\t\x04"))
+    muicache_shell_key.add_value(
+        "C:\\Windows\\System32\\fsquirt.exe.FriendlyAppName",
+        VirtualValue(hive_hku, "C:\\Windows\\System32\\fsquirt.exe.FriendlyAppName", "fsquir"),
+    )
+    muicache_shell_key.add_value(
+        "C:\\Windows\\System32\\fsquirt.test.exe.ApplicationCompany",
+        VirtualValue(hive_hku, "C:\\Windows\\System32\\fsquirt.test.exe.ApplicationCompany", "fsquir"),
+    )
+
+    # NT >= 6.0 (subkey)
+    muicache_key = VirtualKey(
+        hive_hku,
+        "Software\\Classes\\Local Settings\\MuiCache\\35\\52C64B7E",
+    )
+    muicache_key.add_value(
+        "@C:\\Windows\\system32\\wsecedit.dll,-718",
+        VirtualValue(hive_hku, "@C:\\Windows\\system32\\wsecedit.dll,-718", "Local Security Policy"),
+    )
+
+    # NT < 6.0
+    muicache_shellnoroam_key = VirtualKey(
+        hive_hku,
+        "Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache",
+    )
+    muicache_shellnoroam_key.add_value(
+        "@C:\\WINDOWS\\inf\\unregmp2.exe,-4",
+        VirtualValue(hive_hku, "@C:\\WINDOWS\\inf\\unregmp2.exe,-4", "Windows Media Player"),
+    )
+
+    hive_hku.map_key(muicache_shell_key.path, muicache_shell_key)
+    hive_hku.map_key(muicache_key.path, muicache_key)
+    hive_hku.map_key(muicache_shellnoroam_key.path, muicache_shellnoroam_key)
+
+    target_win_users.add_plugin(MuiCachePlugin)
+
+    results = list(target_win_users.muicache())
+
+    assert len(results) == 4
+    assert results[0].index == 1
+    assert results[0].name == "FriendlyAppName"
+    assert results[0].value == "fsquir"
+    assert str(results[0].path) == "C:\\Windows\\System32\\fsquirt.exe"
+    assert results[1].index == 2
+    assert results[1].name == "ApplicationCompany"
+    assert results[1].value == "fsquir"
+    assert str(results[1].path) == "C:\\Windows\\System32\\fsquirt.test.exe"
+    assert results[2].index == 0
+    assert results[2].name is None
+    assert results[2].value == "Local Security Policy"
+    assert str(results[2].path) == "@C:\\Windows\\system32\\wsecedit.dll"
+    assert results[3].index == 0
+    assert results[3].name is None
+    assert results[3].value == "Windows Media Player"
+    assert str(results[3].path) == "@C:\\WINDOWS\\inf\\unregmp2.exe"
