"Break the Hive, Seize the Evidence."
Shim-Breaker is a ruthless, structure-agnostic extractor for Windows ShimCache (AppCompatCache). It does not care about Registry Hive headers, bin structures, or cell indexes. It simply carves the raw binary to find what remains.
Standard forensic tools (like Zimmerman's AppCompatCacheParser or Volatility plugins) are excellent, but they are "civilized". They rely on a healthy Registry Hive structure (hbin, cells, indexes).
But in the real world of Incident Response:
- Hives get corrupted. (BSOD, power failure, anti-forensics)
- Headers get wiped.
- You only have a raw memory dump or a carved chunk of disk.
When the structure is broken, civilized tools fail. That's when you need a Breaker.
Shim-Breaker ignores the file system logic completely.
- Brute-Force Scanning: It hunts down the
10ts(0x73743031) signature used in Windows 10/11 ShimCache headers directly within the raw binary stream. - Heuristic Parsing: Once a header is found, it blindly attempts to parse the following bytes as variable-length entries, applying strict validation logic to separate valid file paths from garbage data.
- Physical Extraction: It pulls out the File Path, Modified Timestamp ($Standard_Info), and Execution Flags.
It acts as a "Last Resort" weapon when all other parsers return 0 entries.
No complex dependencies. Just Python standard libraries.
# Basic usage against a SYSTEM hive file
python shim_breaker.py C:\Evidence\SYSTEM --output result.csv
# Run against a raw memory dump or unallocated space chunk
python shim_breaker.py D:\dumps\memory.dmp -o evidence.csv
### Arguments
* `filepath` : Path to the target file (SYSTEM hive, raw binary, memory dump, etc.)
* `-o`, `--output` : (Optional) Path to save the results in CSV format.
## 📝 Output Format (CSV)
| Offset | Size | ModifiedTime (UTC) | Path |
| :--- | :--- | :--- | :--- |
| 0x00A1B2 | 120 | 2024-11-20 12:34:56 | C:\Windows\System32\cmd.exe |
| 0x00A2C0 | 48 | 2024-11-20 12:35:10 | C:\Users\Admin\Downloads\evil.exe |
| ... | ... | ... | ... |
## ⚠️ Limitations & Warnings
* **Fragmentation**: Shim-Breaker reads the file linearly. If the ShimCache data is physically fragmented on the disk (non-contiguous clusters), the parsing stream will break, and subsequent entries might be lost.
* **False Positives**: Although it has validation logic, parsing raw binary data may occasionally misinterpret random bytes as valid entries. **Always correlate with Prefetch or UserAssist.**
## 📜 License
MIT License - Use it, fork it, break it.
---
*Created by a barbarian forensic analyst.*