Difference between pages "Malware" and "Windows Prefetch File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Exploit Kit)
 
(Format version)
 
Line 1: Line 1:
'''Malware''' is a short version of '''Malicious Software'''.
+
{{expand}}
  
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
+
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
  
== Virus ==
+
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
A computer program that can automatically copy itself and infect a computer.
+
of multiple prefetch files.
  
== Worm ==
+
== Characteristics ==
A self-replicating computer program that can automatically infect computers on a network.
+
Integer values are stored in little-endian.
  
== Trojan horse ==
+
Strings are stored as UTF-16 little-endian without a byte-order-mark (BOM).
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
+
  
== Spyware ==
+
Timestamps are stored as Windows Filetime in UTC.
A computer program that can automatically intercept or take partial control over the user's interaction.
+
  
== Exploit Kit ==
+
== Header ==
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
+
  
=== Drive-by-download ===
+
This format has been observed on Windows XP, ...  will need to be modified for Vista/Win7 format
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
+
  
== See Also ==
+
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| H1
 +
| 0x0000
 +
| 4
 +
| DWORD
 +
| Format version (see format version section below)
 +
|-
 +
| H2
 +
| 0x0004
 +
| 4
 +
| DWORD
 +
| Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
 +
|-
 +
| H3
 +
| 0x0008
 +
| 4
 +
| DWORD?
 +
| Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
 +
|-
 +
| H4
 +
| 0x000C
 +
| 4
 +
| DWORD
 +
| Prefetch file length.
 +
|-
 +
| H5
 +
|0x0010
 +
| 60
 +
| USTR
 +
| Name of executable as Unicode string, truncated after 29 characters, if necessary, and terminated by an end-of-string character (U+0000). As it appears in the prefetch file file name.
 +
|-
 +
| H6
 +
|0x004C
 +
|4
 +
|DWORD
 +
|The prefetch hash, as it appears in the prefetch file name.
 +
|-
 +
| H7
 +
|0x0050
 +
|4
 +
|?
 +
| Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
 +
|-
 +
|}
  
== External Links ==
+
The following part of the header is version dependent. Below the structure for format version 17.
* [http://en.wikipedia.org/wiki/Malware Wikipedia entry on malware]
+
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia drive-by-download]
+
* [http://www.viruslist.com/ Viruslist.com]
+
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
+
  
=== Exploit Kit ===
+
{| class="wikitable"
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
+
|-
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
+
! Field
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
+
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| H8
 +
| 0x0054
 +
| 4
 +
| DWORD
 +
| Offset to section A
 +
|-
 +
| H9
 +
| 0x0058
 +
| 4
 +
| DWORD
 +
| ? Nr of entries in section A
 +
|-
 +
| H10
 +
| 0x005C
 +
| 4
 +
| DWORD
 +
| Offset to section B
 +
|-
 +
| H11
 +
| 0x0060
 +
| 4
 +
| DWORD
 +
| Nr of entries in section B
 +
|-
 +
| H12
 +
| 0x0064
 +
| 4
 +
| DWORD
 +
| Offset to section C
 +
|-
 +
| H13
 +
| 0x0068
 +
| 4
 +
| DWORD
 +
| Length of section C
 +
|-
 +
| H14
 +
| 0x006C
 +
| 4
 +
| DWORD
 +
| Offset to section D
 +
|-
 +
| H15
 +
| 0x0070
 +
| 4
 +
| DWORD
 +
| ? Probably the number of entries in the D section header
 +
|-
 +
| H16
 +
| 0x0074
 +
| 4
 +
| DWORD
 +
| Length of section D
 +
|-
 +
| H17
 +
| 0x0078
 +
| 8
 +
| FTIME
 +
| Latest execution time of executable (FILETIME)
 +
|-
 +
| H18
 +
| 0x0080
 +
| 16
 +
| ?
 +
| ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
 +
|-
 +
| H19
 +
| 0x0090
 +
| 4
 +
| DWORD
 +
| Execution counter
 +
|-
 +
| H20
 +
| 0x0094
 +
| 4
 +
| DWORD?
 +
| ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
 +
|-
 +
|}
  
[[Category:Malware]]
+
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
 +
 
 +
=== Format version ===
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Windows version
 +
|-
 +
| 17 (0x11)
 +
| Windows XP, Windows 2003
 +
|-
 +
| 23 (0x17)
 +
| Windows Vista, Windows 7
 +
|-
 +
| 26 (0x1a)
 +
| Windows 8.1
 +
|-
 +
|}
 +
 
 +
== Section A ==
 +
This section contains an array with 20 byte (version 17) or 32 byte (version 23 and 26) entry records.
 +
 
 +
The actual format and usage of these entry records is currently not known.
 +
 
 +
== Section B ==
 +
This section contains an array with 12 byte (version 17, 23 and 26) entry records.
 +
 
 +
The actual format and usage of these entry records is currently not known.
 +
 
 +
== Section C ==
 +
This section contains an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).
 +
 
 +
At the end of the section there seems to be alignment padding that can contain remnant values.
 +
 
 +
== Section D - Volume information (block) ==
 +
 
 +
Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.
 +
 
 +
In this section, all offsets are assumed to be counted from the start of the D section.
 +
 
 +
The following values are version dependent. Below the structure for format version 17.
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| DH1
 +
| +0x0000
 +
| 4
 +
| DWORD
 +
| Offset to volume string (Unicode, terminated by U+0000)
 +
|-
 +
| DH2
 +
| +0x0004
 +
| 4
 +
| DWORD
 +
| Length of volume string (nr of characters, including terminating U+0000)
 +
|-
 +
| DH3
 +
| +0x0008
 +
| 8
 +
| FTIME
 +
| (File time)
 +
|-
 +
| DH4
 +
| +0x0010
 +
| 4
 +
| DWORD
 +
| Volume serial number of volume indicated by volume string
 +
|-
 +
| DH5
 +
| +0x0014
 +
| 4
 +
| DWORD
 +
| ? Offset to section DHS1
 +
|-
 +
| DH6
 +
| +0x0018
 +
| 4
 +
| DWORD
 +
| ? Length of section DHS1 (in bytes)
 +
|-
 +
| DH7
 +
| +0x001C
 +
| 4
 +
| DWORD
 +
| ? Offset to section DHS2
 +
|-
 +
| DH8
 +
| +0x0020
 +
| 4
 +
| DWORD
 +
| ? Nr of strings in section DHS2
 +
|-
 +
| ?
 +
| +0x0024
 +
| ?
 +
| ?
 +
| ? additional 28 bytes (includes one timestamp?)
 +
|}
 +
 
 +
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
 +
 
 +
== See Also ==
 +
* [[Prefetch]]
 +
 
 +
== External Links ==

Revision as of 02:11, 21 October 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.

As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination of multiple prefetch files.

Characteristics

Integer values are stored in little-endian.

Strings are stored as UTF-16 little-endian without a byte-order-mark (BOM).

Timestamps are stored as Windows Filetime in UTC.

Header

This format has been observed on Windows XP, ... will need to be modified for Vista/Win7 format

Field Offset Length Type Notes
H1 0x0000 4 DWORD Format version (see format version section below)
H2 0x0004 4 DWORD Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
H3 0x0008 4 DWORD? Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
H4 0x000C 4 DWORD Prefetch file length.
H5 0x0010 60 USTR Name of executable as Unicode string, truncated after 29 characters, if necessary, and terminated by an end-of-string character (U+0000). As it appears in the prefetch file file name.
H6 0x004C 4 DWORD The prefetch hash, as it appears in the prefetch file name.
H7 0x0050 4 ? Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)

The following part of the header is version dependent. Below the structure for format version 17.

Field Offset Length Type Notes
H8 0x0054 4 DWORD Offset to section A
H9 0x0058 4 DWORD  ? Nr of entries in section A
H10 0x005C 4 DWORD Offset to section B
H11 0x0060 4 DWORD Nr of entries in section B
H12 0x0064 4 DWORD Offset to section C
H13 0x0068 4 DWORD Length of section C
H14 0x006C 4 DWORD Offset to section D
H15 0x0070 4 DWORD  ? Probably the number of entries in the D section header
H16 0x0074 4 DWORD Length of section D
H17 0x0078 8 FTIME Latest execution time of executable (FILETIME)
H18 0x0080 16  ?  ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
H19 0x0090 4 DWORD Execution counter
H20 0x0094 4 DWORD?  ? Observed values: 1, 2, 3, 4, 5, 6 (XP)

It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.

Format version

Value Windows version
17 (0x11) Windows XP, Windows 2003
23 (0x17) Windows Vista, Windows 7
26 (0x1a) Windows 8.1

Section A

This section contains an array with 20 byte (version 17) or 32 byte (version 23 and 26) entry records.

The actual format and usage of these entry records is currently not known.

Section B

This section contains an array with 12 byte (version 17, 23 and 26) entry records.

The actual format and usage of these entry records is currently not known.

Section C

This section contains an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).

At the end of the section there seems to be alignment padding that can contain remnant values.

Section D - Volume information (block)

Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.

In this section, all offsets are assumed to be counted from the start of the D section.

The following values are version dependent. Below the structure for format version 17.

Field Offset Length Type Notes
DH1 +0x0000 4 DWORD Offset to volume string (Unicode, terminated by U+0000)
DH2 +0x0004 4 DWORD Length of volume string (nr of characters, including terminating U+0000)
DH3 +0x0008 8 FTIME (File time)
DH4 +0x0010 4 DWORD Volume serial number of volume indicated by volume string
DH5 +0x0014 4 DWORD  ? Offset to section DHS1
DH6 +0x0018 4 DWORD  ? Length of section DHS1 (in bytes)
DH7 +0x001C 4 DWORD  ? Offset to section DHS2
DH8 +0x0020 4 DWORD  ? Nr of strings in section DHS2
 ? +0x0024  ?  ?  ? additional 28 bytes (includes one timestamp?)

If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).

See Also

External Links