Difference between pages "Windows Prefetch File Format" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Section A - Metrics array)
 
(HackingTeam)
 
Line 1: Line 1:
{{expand}}
+
'''Malware''' is a short version of '''Malicious Software'''.
  
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
  
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
+
== Virus ==
of multiple prefetch files.
+
A computer program that can automatically copy itself and infect a computer.
  
== Characteristics ==
+
== Worm ==
{| class="wikitable"
+
A self-replicating computer program that can automatically infect computers on a network.
|-
+
| <b>Integers</b>
+
| stored in little-endian
+
|-
+
| <b>Strings</b>
+
| Stored as [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16 little-endian] without a byte-order-mark (BOM).
+
|-
+
| <b>Timestamps</b>
+
| Stored as [http://msdn2.microsoft.com/en-us/library/ms724284.aspx Windows FILETIME] in UTC.
+
|-
+
|}
+
  
== File header ==
+
== Trojan horse ==
The file header is 84 bytes of size and consists of:
+
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| H1
+
| 0x0000
+
| 4
+
| DWORD
+
| Format version (see format version section below)
+
|-
+
| H2
+
| 0x0004
+
| 4
+
| DWORD
+
| Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
+
|-
+
| H3
+
| 0x0008
+
| 4
+
| DWORD?
+
| Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
+
|-
+
| H4
+
| 0x000C
+
| 4
+
| DWORD
+
| Prefetch file size (or length) (sometimes referred to as End of File (EOF)).
+
|-
+
| H5
+
|0x0010
+
| 60
+
| USTR
+
| The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.
+
|-
+
| H6
+
|0x004C
+
|4
+
|DWORD
+
|The prefetch hash. This hash value should correspond with the one in the prefetch file filename.
+
|-
+
| H7
+
|0x0050
+
|4
+
|?
+
| Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
+
|-
+
|}
+
  
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
+
== Spyware ==
 +
A computer program that can automatically intercept or take partial control over the user's interaction.
  
=== Format version ===
+
== Exploit Kit ==
 +
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
  
{| class="wikitable"
+
=== Drive-by-download ===
|-
+
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
! Value
+
! Windows version
+
|-
+
| 17 (0x11)
+
| Windows XP, Windows 2003
+
|-
+
| 23 (0x17)
+
| Windows Vista, Windows 7
+
|-
+
| 26 (0x1a)
+
| Windows 8.1 (note this could be Windows 8 as well but has not been confirmed)
+
|-
+
|}
+
  
=== File information ===
+
== Rootkit ==
The format of the file information is version dependent.
+
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
  
Note that some other format specifications consider the file information part of the file header.
+
== See Also ==
 +
* [[Malware analysis]]
  
==== File information - version 17 ====
+
== External Links ==
The file information – version 17 is 68 bytes of size and consists of:
+
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
{| class="wikitable"
+
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
|-
+
* [http://www.viruslist.com/ Viruslist.com]
! Field
+
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
|
+
| 0x0054
+
| 4
+
| DWORD
+
| The offset to section A. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0058
+
| 4
+
| DWORD
+
| The number of entries in section A.
+
|-
+
|
+
| 0x005C
+
| 4
+
| DWORD
+
| The offset to section B. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0060
+
| 4
+
| DWORD
+
| The number of entries in section B.
+
|-
+
|
+
| 0x0064
+
| 4
+
| DWORD
+
| The offset to section C. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0068
+
| 4
+
| DWORD
+
| Length of section C.
+
|-
+
|
+
| 0x006C
+
| 4
+
| DWORD
+
| Offset to section D. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0070
+
| 4
+
| DWORD
+
| The number of entries in section D.
+
|-
+
|
+
| 0x0074
+
| 4
+
| DWORD
+
| Length of section D.
+
|-
+
|
+
| 0x0078
+
| 8
+
| FILETIME
+
| Latest execution time (or run time) of executable (FILETIME)
+
|-
+
|
+
| 0x0080
+
| 16
+
| ?
+
| Unknown ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/ (don't exclude the possibility here that this is remnant data)
+
|-
+
|
+
| 0x0090
+
| 4
+
| DWORD
+
| Execution counter (or run count)
+
|-
+
|
+
| 0x0094
+
| 4
+
| DWORD?
+
| Unknown ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
+
|-
+
|}
+
  
==== File information - version 23 ====
+
=== Analysis ===
The file information – version 23 is 156 bytes of size and consists of:
+
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
{| class="wikitable"
+
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
|-
+
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
! Field
+
* [http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx Security Advisory 2953095: recommendation to stay protected and for detections\, by Chengyun Chu, Elia Florio, March 24, 2014
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
|
+
| 0x0054
+
| 4
+
| DWORD
+
| The offset to section A. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0058
+
| 4
+
| DWORD
+
| The number of entries in section A.
+
|-
+
|
+
| 0x005C
+
| 4
+
| DWORD
+
| The offset to section B. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0060
+
| 4
+
| DWORD
+
| The number of entries in section B.
+
|-
+
|
+
| 0x0064
+
| 4
+
| DWORD
+
| The offset to section C. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0068
+
| 4
+
| DWORD
+
| Length of section C.
+
|-
+
|
+
| 0x006C
+
| 4
+
| DWORD
+
| Offset to section D. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0070
+
| 4
+
| DWORD
+
| The number of entries in section D.
+
|-
+
|
+
| 0x0074
+
| 4
+
| DWORD
+
| Length of section D.
+
|-
+
|
+
| <b>0x0078</b>
+
| <b>8</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|
+
| 0x0080
+
| 8
+
| FILETIME
+
| Latest execution time (or run time) of executable (FILETIME)
+
|-
+
|
+
| 0x0088
+
| 16
+
| ?
+
| Unknown
+
|-
+
|
+
| 0x0098
+
| 4
+
| DWORD
+
| Execution counter (or run count)
+
|-
+
|
+
| 0x009C
+
| 4
+
| DWORD?
+
| Unknown
+
|-
+
|
+
| <b>0x00A0</b>
+
| <b>80</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|}
+
  
==== File information - version 26 ====
+
=== Exploit Kit ===
The file information – version 26 is 224 bytes of size and consists of:
+
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
{| class="wikitable"
+
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
|-
+
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
|
+
| 0x0054
+
| 4
+
| DWORD
+
| The offset to section A. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0058
+
| 4
+
| DWORD
+
| The number of entries in section A.
+
|-
+
|
+
| 0x005C
+
| 4
+
| DWORD
+
| The offset to section B. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0060
+
| 4
+
| DWORD
+
| The number of entries in section B.
+
|-
+
|
+
| 0x0064
+
| 4
+
| DWORD
+
| The offset to section C. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0068
+
| 4
+
| DWORD
+
| Length of section C.
+
|-
+
|
+
| 0x006C
+
| 4
+
| DWORD
+
| Offset to section D. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0070
+
| 4
+
| DWORD
+
| The number of entries in section D.
+
|-
+
|
+
| 0x0074
+
| 4
+
| DWORD
+
| Length of section D.
+
|-
+
|
+
| 0x0078
+
| 8
+
| ?
+
| Unknown
+
|-
+
|
+
| 0x0080
+
| 8
+
| FILETIME
+
| Latest execution time (or run time) of executable (FILETIME)
+
|-
+
|
+
| <b>0x0088</b>
+
| <b>7 x 8 = 56</b>
+
| <b>FILETIME</b>
+
| <b>Older (most recent) latest execution time (or run time) of executable (FILETIME)</b>
+
|-
+
|
+
| <b>0x00C0</b>
+
| <b>16</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|
+
| 0x00D0
+
| 4
+
| DWORD
+
| Execution counter (or run count)
+
|-
+
|
+
| <b>0x00D4</b>
+
| <b>4</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|
+
| <b>0x00D8</b>
+
| <b>4</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|
+
| <b>0x00DC</b>
+
| <b>88</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|}
+
  
== Section A - Metrics array ==
+
=== Rootkit ===
==== Metrics entry record - version 17 ====
+
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
The metrics entry records – version 17 is 20 bytes in size and consists of:
+
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
  
{| class="wikitable"
+
=== HackingTeam ===
|-
+
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
! Field
+
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
! Offset
+
* [http://reverse.put.as/wp-content/uploads/2014/06/ShakaCon6-FuckYouHackingTeam.pdf Fuck you Hacking Team], by fG! at ShakaCon 2014, June 2014
! Length
+
! Type
+
! Notes
+
|-
+
|
+
| 0
+
| 4
+
| DWORD
+
| Start time in ms
+
|-
+
|
+
| 4
+
| 4
+
| DWORD
+
| Duration in ms
+
|-
+
|
+
| 8
+
| 4
+
| DWORD
+
| Filename string offset <br> The offset is relative to the start of the filename string section (section C)
+
|-
+
|
+
| 12
+
| 4
+
| DWORD
+
| Filename string number of characters without end-of-string character
+
|-
+
|
+
| 16
+
| 4
+
| DWORD
+
| Unknown, flags?
+
|}
+
  
==== Metrics entry record - version 23 ====
 
The metrics entry records – version 23 is 32 bytes in size and consists of:
 
 
{| class="wikitable"
 
|-
 
! Field
 
! Offset
 
! Length
 
! Type
 
! Notes
 
|-
 
|
 
| 0
 
| 4
 
| DWORD
 
| Start time in ms
 
|-
 
|
 
| 4
 
| 4
 
| DWORD
 
| Duration in ms
 
|-
 
|
 
| 8
 
| 4
 
| DWORD
 
| Average duration in ms?
 
|-
 
|
 
| 12
 
| 4
 
| DWORD
 
| Filename string offset <br> The offset is relative to the start of the filename string section (section C)
 
|-
 
|
 
| 16
 
| 4
 
| DWORD
 
| Filename string number of characters without end-of-string character
 
|-
 
|
 
| 20
 
| 4
 
| DWORD
 
| Unknown, flags?
 
|-
 
|
 
| 24
 
| 8
 
|
 
| NTFS file reference <br> 0 if not set.
 
|}
 
 
==== Metrics entry record - version 26 ====
 
The metrics entry record – version 26 appears to be similar to metrics entry record – version 23.
 
 
== Section B - Trace chains array ==
 
This section contains an array with 12 byte (version 17, 23 and 26) entry records.
 
 
{| class="wikitable"
 
|-
 
! Field
 
! Offset
 
! Length
 
! Type
 
! Notes
 
|-
 
|
 
| 0
 
| 4
 
|
 
| Next array entry index <br> Contains the next trace chain array entry index in the chain, where the first entry index starts with 0, or -1 (0xffffffff) for the end-of-chain.
 
|-
 
|
 
| 4
 
| 4
 
|
 
| Total block load count <br> Number of blocks loaded (or fetched) <br> The block size 512k (512 x 1024) bytes
 
|-
 
|
 
| 8
 
| 1
 
|
 
| Unknown
 
|-
 
|
 
| 9
 
| 1
 
|
 
| Sample duration in ms?
 
|-
 
|
 
| 10
 
| 2
 
|
 
| Unknown
 
|}
 
 
== Section C - Filename strings ==
 
This section contains filenames strings, it consists of an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).
 
 
At the end of the section there seems to be alignment padding that can contain remnant values.
 
 
== Section D - Volumes information (block) ==
 
 
Section D contains one or more subsections, each subsection refers to directories on a volume.
 
 
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
 
 
In this section, all offsets are assumed to be counted from the start of the D section.
 
 
=== Volume information ===
 
The structure of the volume information is version dependent.
 
 
==== Volume information - version 17 ====
 
The volume information – version 17 is 40 bytes in size and consists of:
 
 
{| class="wikitable"
 
|-
 
! Field
 
! Offset
 
! Length
 
! Type
 
! Notes
 
|-
 
| VI1
 
| +0x0000
 
| 4
 
| DWORD
 
| Offset to volume device path (Unicode, terminated by U+0000)
 
|-
 
| VI2
 
| +0x0004
 
| 4
 
| DWORD
 
| Length of volume device path (nr of characters, including terminating U+0000)
 
|-
 
| VI3
 
| +0x0008
 
| 8
 
| FILETIME
 
| Volume creation time.
 
|-
 
| VI4
 
| +0x0010
 
| 4
 
| DWORD
 
| Volume serial number of volume indicated by volume string
 
|-
 
| VI5
 
| +0x0014
 
| 4
 
| DWORD
 
| Offset to sub section E
 
|-
 
| VI6
 
| +0x0018
 
| 4
 
| DWORD
 
| Length of sub section E (in bytes)
 
|-
 
| VI7
 
| +0x001C
 
| 4
 
| DWORD
 
| Offset to sub section F
 
|-
 
| VI8
 
| +0x0020
 
| 4
 
| DWORD
 
| Number of strings in sub section F
 
|-
 
| VI9
 
| +0x0024
 
| 4
 
| ?
 
| Unknown
 
|-
 
|}
 
 
==== Volume information - version 23 ====
 
The volume information entry – version 23 is 104 bytes in size and consists of:
 
 
{| class="wikitable"
 
|-
 
! Field
 
! Offset
 
! Length
 
! Type
 
! Notes
 
|-
 
| VI1
 
| +0x0000
 
| 4
 
| DWORD
 
| Offset to volume device path (Unicode, terminated by U+0000)
 
|-
 
| VI2
 
| +0x0004
 
| 4
 
| DWORD
 
| Length of volume device path (nr of characters, including terminating U+0000)
 
|-
 
| VI3
 
| +0x0008
 
| 8
 
| FILETIME
 
| Volume creation time.
 
|-
 
| VI4
 
| +0x0010
 
| 4
 
| DWORD
 
| Volume serial number of volume indicated by volume string
 
|-
 
| VI5
 
| +0x0014
 
| 4
 
| DWORD
 
| Offset to sub section E
 
|-
 
| VI6
 
| +0x0018
 
| 4
 
| DWORD
 
| Length of sub section E (in bytes)
 
|-
 
| VI7
 
| +0x001C
 
| 4
 
| DWORD
 
| Offset to sub section F
 
|-
 
| VI8
 
| +0x0020
 
| 4
 
| DWORD
 
| Number of strings in sub section F
 
|-
 
| VI9
 
| +0x0024
 
| 4
 
| ?
 
| Unknown
 
|-
 
| <b>VI10</b>
 
| <b>+0x0028</b>
 
| <b>28</b>
 
| <b>?</b>
 
| <b>Unknown</b>
 
|-
 
| <b>VI11</b>
 
| <b>+0x0044</b>
 
| <b>4</b>
 
| <b>?</b>
 
| <b>Unknown</b>
 
|-
 
| <b>VI12</b>
 
| <b>+0x0048</b>
 
| <b>28</b>
 
| <b>?</b>
 
| <b>Unknown</b>
 
|-
 
| <b>VI13</b>
 
| <b>+0x0064</b>
 
| <b>4</b>
 
| <b>?</b>
 
| <b>Unknown</b>
 
|-
 
|}
 
 
==== Volume information - version 26 ====
 
The volume information entry – version 26 appears to be similar to volume information – version 23.
 
 
=== Sub section E - NTFS file references ===
 
This sub section can contain NTFS file references.
 
 
For more information see [https://googledrive.com/host/0B3fBvzttpiiSbl9XZGZzQ05hZkU/Windows%20Prefetch%20File%20(PF)%20format.pdf Windows Prefetch File (PF) format].
 
 
=== Sub section F - Directory strings ===
 
This sub sections contains directory strings. The number of strings is stored in the volume information.
 
 
A directory string is stored in the following structure:
 
{| class="wikitable"
 
|-
 
! Field
 
! Offset
 
! Length
 
! Type
 
! Notes
 
|-
 
|
 
| 0x0000
 
| 2
 
| DWORD
 
| Number of characters (WORDs) of the directory name. The value does not include the end-of-string character.
 
|-
 
|
 
| 0x0002
 
|
 
| USTR
 
| The directory name as a Unicode (UTF-16 litte-endian string) terminated by an end-of-string character (U+0000).
 
|-
 
|}
 
 
== See Also ==
 
* [[Prefetch]]
 
 
== External Links ==
 
* [https://googledrive.com/host/0B3fBvzttpiiSbl9XZGZzQ05hZkU/Windows%20Prefetch%20File%20(PF)%20format.pdf Windows Prefetch File (PF) format], by the [[libssca|libssca project]]
 
* [http://bitbucket.cassidiancybersecurity.com/prefetch-parser/wiki/Home Windows Prefetch file format], by the [http://bitbucket.cassidiancybersecurity.com/prefetch-parser prefetch-parser] project.
 
  
[[Category:File Formats]]
+
[[Category:Malware]]

Revision as of 02:12, 5 July 2014

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

Rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.

See Also

External Links

Analysis

Exploit Kit

Rootkit

HackingTeam