Skip to content

Commit a034a7d

Browse files
gleedagleeda
authored
Merge pull request #14 from 0xF2EDCA5A/master
Windows 10 and unified output support
2 parents bcde6f9 + ff8ca45 commit a034a7d

File tree

2 files changed

+1416
-1261
lines changed

2 files changed

+1416
-1261
lines changed

ShimcacheMemory/README.md

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
--------------------------------------------------------------------------------
22
Submitters
33
--------------------------------------------------------------------------------
4-
Author(s): Fred House (Mandiant, a FireEye Company)
4+
Author(s): Fred House (Mandiant, a FireEye Company) - Twitter: @0xF2EDCA5A
55
Andrew Davis (Mandiant, a FireEye Company)
6-
Claudiu Teodorescu (Mandiant, a FireEye Company)
6+
Claudiu Teodorescu (Mandiant, a FireEye Company) - Twitter: @cteo13
77

88
Date: 2015-09-29
99

@@ -43,6 +43,15 @@ How to use
4343
| | | shim cache entry. Intended to facilitate |
4444
| | | additional forensic analysis of the memory |
4545
| | | image. |
46+
| | | |
47+
| -i | --ignore_win_apps | On Windows 10, the shim cache contains entries |
48+
| | | for Windows apps, which are in a format that is |
49+
| | | not parsed by this plugin. This option excludes |
50+
| | | these entries from the output. |
51+
| | | |
52+
| | --system_name | An optional system name to add as a column to |
53+
| | | the output. |
54+
| | | |
4655
---------------------------------------------------------------------------
4756
```
4857

@@ -63,5 +72,5 @@ request a system reboot.
6372

6473
This plugin parses the shim cache directly from the module or process containing
6574
the cache, thereby providing analysts access to the most up-to-date cache. The
66-
plugin supports Windows XP SP2 through Windows 2012 R2 on both 32 and 64
75+
plugin supports Windows XP SP2 through Windows 10 on both 32 and 64
6776
bit architectures.

0 commit comments

Comments
 (0)