Skip to content

Add Windows RDP bitmap cache plugin #1080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Apr 7, 2025
Merged

Add Windows RDP bitmap cache plugin #1080

merged 8 commits into from
Apr 7, 2025

Conversation

@JSCU-CNI
Copy link
Contributor

@JSCU-CNI JSCU-CNI commented Mar 26, 2025

This PR adds functionality to recover bitmaps from the Windows RDP Bitmap Cache. We've based the plugin on bmc-tools. Unlike bmc-tools, this plugin does not support BMC files with a bits-per-pixel other than 32. Such files should be quite rare nowadays.

We did run into an existing problem: we cannot expose the parser easily so it can be run against separate .bin or .bmc files that do not reside in an already existing Target (as mentioned in issues such as #789).

See the grid export below for example output of the rdpcache.recover plugin function.
image

@Schamper
Copy link
Member

Schamper commented Apr 1, 2025

#1082 might allow this to work on individual files.

Schamper
Schamper requested changes Apr 1, 2025
View reviewed changes
Copy link
Member

@Schamper Schamper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice contribution!

@JSCU-CNI JSCU-CNI requested a review from Schamper April 7, 2025 11:58
Schamper
Schamper requested changes Apr 7, 2025
View reviewed changes
@JSCU-CNI JSCU-CNI requested a review from Schamper April 7, 2025 12:41
@Schamper Schamper requested a review from Copilot April 7, 2025 12:49
Copilot AI reviewed Apr 7, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 4 changed files in this pull request and generated 2 comments.

Files not reviewed (2)
  • tests/_data/plugins/os/windows/rdpcache/Cache0000.bin: Language not supported
  • tests/_data/plugins/os/windows/rdpcache/bcache24.bmc: Language not supported

@codecov
Copy link

codecov bot commented Apr 7, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 88.62559% with 24 lines in your changes missing coverage. Please review.

Project coverage is 79.37%. Comparing base (764c133) to head (7d58840).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
dissect/target/plugins/os/windows/rdpcache.py 88.62% 24 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1080      +/-   ##
==========================================
+ Coverage   79.27%   79.37%   +0.09%     
==========================================
  Files         346      347       +1     
  Lines       30793    31004     +211     
==========================================
+ Hits        24411    24608     +197     
- Misses       6382     6396      +14
Flag Coverage Δ
unittests 79.37% <88.62%> (+0.09%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Schamper Schamper merged commit 5aa44b6 into fox-it:main Apr 7, 2025
20 of 23 checks passed
@JSCU-CNI JSCU-CNI deleted the feature/rdp-cache-plugin branch April 7, 2025 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Schamper Schamper Schamper approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JSCU-CNI @Schamper