My You Look SuperFetching - Jesse Kornblumjessekornblum.com/presentations/dodcc08-2.pdf · 00000080 40 00 98 7E BD E6 81 C7 01 10 20 03 F0 46 9E 85 @ ˜~& æ!Ç "F"… 00000090 00

DC3DC3

My You Look My You Look SuperFetchingSuperFetching

DC3DC3

OverviewOverview

!! PrefetchPrefetch

!! SuperFetchSuperFetch

!! DecompressionDecompression

!! AnalysisAnalysis

DC3DC3

PrefetchPrefetch

!! Introduced in Windows XPIntroduced in Windows XP

!! Designed for faster application startDesigned for faster application start

!! Profile for each applicationProfile for each application

–– List of DLLs usedList of DLLs used

–– Run countRun count

–– Time stampsTime stamps

!! Prefetch Prefetch files stored in %files stored in %SystemRootSystemRoot%%\Prefetch\Prefetch

–– .pf extension.pf extension

–– Up to 128 are keptUp to 128 are kept

DC3DC3

Prefetch Prefetch DataData

!! Time stampsTime stamps

–– Create time of file was first runCreate time of file was first run

–– Modified time of file was last runModified time of file was last run

!! Filename is executable name and hash of pathFilename is executable name and hash of path

–– Can tell if same app run from multiple Can tell if same app run from multiple locationslocations

DC3DC3

Prefetch Prefetch DataData

!! Header size value at offset 0x54Header size value at offset 0x54

–– 0x98: Windows XP or 20030x98: Windows XP or 2003

–– 0xf0: Windows Vista0xf0: Windows Vista

!! Windows XPWindows XP

–– 0x78: Time stamp0x78: Time stamp

–– 0x90: Run count0x90: Run count

!! Windows VistaWindows Vista

–– 0x80: Time stamp0x80: Time stamp

–– 0x98: Run count0x98: Run count

DC3DC3

Prefetch Prefetch ExampleExample

DC3DC3

PrefetchPrefetch Example Example

DC3DC3

PrefetchPrefetch Tools Tools

!! Windows File Analyzer by Windows File Analyzer by MiTeCMiTeC

–– Beautiful GUIBeautiful GUI

–– http://http://www.mitec.cz/wfa.htmlwww.mitec.cz/wfa.html

!! File CarversFile Carvers

–– Header:Header:

–– 0x11 0 0 0 S C C A0x11 0 0 0 S C C A

DC3DC3

SuperFetchSuperFetch

(for forensics)

DC3DC3


!! Improving the User Experience (UX)Improving the User Experience (UX)

!! ““Windows SuperFetch enables programs and files toWindows SuperFetch enables programs and files to

load much faster than they would on Windowsload much faster than they would on Windows

XPXP––based PCs. based PCs. …… SuperFetch monitors which SuperFetch monitors which

applications you use the most and preloads theseapplications you use the most and preloads these

into your system memory so they'll be ready wheninto your system memory so they'll be ready when

you need them.you need them.””

Source: Microsoft CorporationSource: Microsoft Corporation

http://www.microsoft.com/windows/products/windowsvista/features/details/superfetch.mspxhttp://www.microsoft.com/windows/products/windowsvista/features/details/superfetch.mspx

UX Guide: http://msdn2.microsoft.com/en-us/library/aa511258.aspxUX Guide: http://msdn2.microsoft.com/en-us/library/aa511258.aspx

DC3DC3


!! Load programs, DLLs, and files into RAM just beforeLoad programs, DLLs, and files into RAM just before

they are neededthey are needed

–– Based on work by Dr. Eric Horvitz of MSFT ResearchBased on work by Dr. Eric Horvitz of MSFT Research

!! Still uses Still uses PrefetchPrefetch

!! Service Service sysmainsysmain..dlldll, part of , part of svchostsvchost

!! Enabled by defaultEnabled by default

!! Can be turned offCan be turned off

–– From Services Control PanelFrom Services Control Panel

–– C:\> net stop C:\> net stop sysmainsysmain

!! Works with Works with ReadyBoostReadyBoost

DC3DC3

SuperFetch DebuggingSuperFetch Debugging

CodeCode

!! Some debugging code in Vista RTMSome debugging code in Vista RTM

!! Writes out Writes out MemoryAnalysis.csvMemoryAnalysis.csv–– Produced by some unknown eventProduced by some unknown event

!! Includes details on Markov Chains, et al.Includes details on Markov Chains, et al.

!! Forensic value unknownForensic value unknown

DC3DC3

SuperFetch DataSuperFetch Data

!! Data on these usage patterns are called scenariosData on these usage patterns are called scenarios

!! Stored in databasesStored in databases

–– Except not really databasesExcept not really databases

–– Same directory as Same directory as Prefetch Prefetch filesfiles

!! Most files have Ag prefix and .db extensionMost files have Ag prefix and .db extension

!! Product Team led by Matt AyersProduct Team led by Matt Ayers

DC3DC3

MEMO FilesMEMO Files

!! File HeaderFile Header

–– MEMOMEMO

–– 32-bit decompressed size of whole file32-bit decompressed size of whole file

!! Compressed data begins at offset eightCompressed data begins at offset eight

!! Each block begins with 0xByyy where Each block begins with 0xByyy where yyyyyy is the size is the size

of the compressed data in that blockof the compressed data in that block

DC3DC3

LZNT1LZNT1

!! Uses known but officially undocumented LZNT1Uses known but officially undocumented LZNT1

–– RtlDecompressBufferRtlDecompressBuffer in in ntdll.dllntdll.dll

–– ““Reserved for System UseReserved for System Use””•• http://msdn2.microsoft.com/en-us/library/ms796897.aspxhttp://msdn2.microsoft.com/en-us/library/ms796897.aspx

!! Prototype available fromPrototype available from

–– Undocumented Windows NTUndocumented Windows NT•• http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Compression/RtlDecomhttp://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Compression/RtlDecom

pressBuffer.htmlpressBuffer.html

–– Win32 API from Win32 API from MinGWMinGW project project•• http://www.mingw.org/MinGWiki/index.php/w32apihttp://www.mingw.org/MinGWiki/index.php/w32api

DC3DC3

RtlDecompressBufferRtlDecompressBuffer

NTSYSAPINTSYSAPI

NTSTATUSNTSTATUS

NTAPI NTAPI RtlDecompressBufferRtlDecompressBuffer((

IN ULONG IN ULONG CompressionFormatCompressionFormat,,

OUT PVOID OUT PVOID DestinationBufferDestinationBuffer,,

IN ULONG IN ULONG DestinationBufferLengthDestinationBufferLength,,

IN PVOID IN PVOID SourceBufferSourceBuffer,,

IN ULONG IN ULONG SourceBufferLengthSourceBufferLength,,

OUT PULONG OUT PULONG pDestinationSizepDestinationSize););

DC3DC3

RtlDecompressBufferRtlDecompressBuffer

RtlDecompressBufferRtlDecompressBuffer((

COMPRESSION_FORMAT_LZNT1, COMPRESSION_FORMAT_LZNT1,

destination, destination,

destination_lendestination_len,,

source, source,

source_lensource_len,,

& &output_lenoutput_len););

DC3DC3

Compressed DataCompressed Data

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 4D 45 4D 4F 44 6A 0D 00 B9 B8 00 0E 00 00 00 44 MEMODj !¸ D00000010 6A 0D 00 AA F0 00 70 0B 00 30 38 00 18 24 00 18 j ª" p 08 $00000020 BA 3C 00 18 10 0C 18 00 38 02 08 02 00 14 42 65 º< 8 Be00000030 00 10 AF C5 00 00 01 AC 64 50 AC 00 00 0C 00 26 #Å ¬dP¬ &00000040 14 00 06 01 C1 04 06 3C 3C 0A 0A 02 01 50 00 1E Á << P00000050 C0 3E C6 00 00 50 C3 03 06 00 1C 01 02 66 A0 00 À>Æ PÃ f00000060 AD 22 64 71 C7 00 01 A0 33 29 7E 27 76 C7 00 01 -"dqÇ 3)~'vÇ00000070 50 1C 97 A1 7A 7B C7 40 01 30 B5 FD 1C 8E 00 07 P —¡z{Ç@ 0$% !00000080 40 00 98 7E BD E6 81 C7 01 10 20 03 F0 46 9E 85 @ ˜~&æ!Ç "F"…00000090 00 07 A8 D9 04 1E C9 00 07 E0 44 72 22 D9 01 01 ¨Ù É àDr"Ù000000A0 0F D5 A8 40 5F 86 C7 01 20 B0 9E 5A 9F 8F 00 07 Õ¨@_†Ç °"ZŸ "000000B0 80 A3 10 F9 76 25 87 00 3F 82 A8 9B 42 4A 01 07 '£ ùv%‡ ?‚¨›BJ000000C0 02 93 25 60 00 07 A0 00 99 30 49 D2 88 C7 01 E0 “%` ™0IÒˆÇ à000000D0 00 1E ED 61 21 8B C7 01 E8 00 75 CA 02 9C ED 23 ía!‹Ç è uÊ œí#000000E0 02 61 01 01 9B 80 00 00 D0 93 67 04 01 81 49 3C a ›' (“g !I<000000F0 A4 B0 D3 F4 5A C7 10 01 F6 B1 D7 01 63 00 50 0B ¤°ÓôZÇ ö±) c P00000100 10 41 02 17 00 80 66 C4 84 70 01 81 0F 5C 00 44 A 'fÄ„p ! \ D

Start of compressed data

(always begins with 0xByyy)

Uncompressed size

DC3DC3

Uncompressed DataUncompressed Data

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 0E 00 00 00 44 6A 0D 00 F0 00 00 00 0B 00 00 00 Dj "00000010 38 00 00 00 24 00 00 00 3C 00 00 00 10 00 00 00 8 $ <00000020 10 00 00 00 10 00 00 00 10 00 00 00 00 00 00 0000000030 00 00 00 00 02 00 00 00 65 02 00 00 AF C5 00 00 e #Å00000040 24 00 00 00 64 AC 00 00 0C 00 00 00 14 00 00 00 $ d¬00000050 01 00 00 00 01 00 00 00 3C 3C 0A 0A 02 02 00 00 <<00000060 00 00 00 00 3E C6 00 00 50 C3 00 00 50 C3 00 00 >Æ PÃ PÃ00000070 00 00 00 00 24 00 00 00 A0 00 AD 22 64 71 C7 01 $ -"dqÇ00000080 A0 33 29 7E 27 76 C7 01 50 1C 97 A1 7A 7B C7 01 3)~'vÇ P —¡z{Ç00000090 30 B5 FD 1C 8E 7B C7 01 40 98 7E BD E6 81 C7 01 0$% !{Ç @˜~&æ !Ç000000A0 10 03 F0 46 9E 85 C7 01 10 A8 D9 1E C9 85 C7 01 "F"…Ç ¨Ù É…Ç000000B0 E0 44 72 22 D9 85 C7 01 10 D5 A8 40 5F 86 C7 01 àDr"Ù…Ç Õ¨@_†Ç000000C0 B0 9E 5A 9F 8F 86 C7 01 80 A3 F9 76 25 87 C7 01 °"ZŸ " †Ç '£ùv%‡Ç000000D0 30 82 A8 9B 4A 87 C7 01 30 02 93 25 60 87 C7 01 0‚¨›J‡Ç 0 “%`‡Ç000000E0 A0 99 30 49 D2 88 C7 01 E0 1E ED 61 21 8B C7 01 ™0IÒˆÇ à ía!‹Ç000000F0 E8 75 CA 02 9C ED 23 02 61 02 00 00 00 80 00 00 èuÊ œí# a '00000100 D0 93 67 04 00 00 00 00 3C A4 B0 D3 F4 5A C7 01 (“g <¤°ÓôZÇ

Timestamps!

DC3DC3

TRX FilesTRX Files

!! Not compressedNot compressed

!! Appear to contain aAppear to contain a

series of recordsseries of records

!! File headerFile header

File SizeFile Size88

Record CountRecord Count0xc0xc

1 (Version Number?)1 (Version Number?)00

Offset of first recordOffset of first record0x140x14

Record CountRecord Count0x100x10

unknownunknown44

ValueValueOffsetOffset

DC3DC3

TRX RecordsTRX Records

!! Contain signatureContain signature

!! 0x2d 0 9 0 ASCC0x2d 0 9 0 ASCC

!! At offset 0x8, size of the recordAt offset 0x8, size of the record

!! At offset 0x4c, number of names in the recordAt offset 0x4c, number of names in the record

!! Names ofNames of

–– ProgramsPrograms

–– DLLsDLLs

–– Documents used in firstDocuments used in first few secondsfew seconds

!! Some names are in sequential orderSome names are in sequential order

DC3DC3

This means somethingThis means something

DC3DC3

Jesse KornblumJesse Kornblum

Research and Development EngineerResearch and Development Engineer

Tel (410) 981-1013Tel (410) 981-1013

[email protected]@dc3.mil

Department of DefenseDepartment of Defense

Cyber Crime CenterCyber Crime Center