Skip to main content

Prefetch Internals note

1. Overview

Prefetch is artifact that exists in Windows. This artifact records program execution files read by that program in 10 seconds. Prefetch is one of the most well-known artifacts, but its recording mechanism is very complex as follows. (This is an simplified version, not the whole thing.)

I reversed the kernel to look for something interesting in the data related to prefetch. However, I could not find any incident response usable data.
Now that I understand the mechanisms involved in prefetch, I leave this blog as a note.
・Same executable but different prefetch conditions
・High probability bypass prefetch

2. Same executable but different prefetch conditions

Generally, prefetch is created for each executable file path. This is handled internally as the following NT kernel path. If the hashes of this path are the same, they are written to the same prefetch.
\Device\HarddiskVolume2\Windows\System32\cmd.exe
However, there are a few exceptions. You will see a lot of svchost.exe prefetch files in the prefetch folder. Some files, such as svchost.exe, prefetch is created per commandline hash, not NT file path hash. Such file name is hard-coded in ntoskrnl.exe as follows.
Simply speaking, dllhost.exe, mmc.exe, rundll32.exe, svchost.exe, and taskhost.exe are the exceptions. Additionally, executables that are substrings of the above string and terminate with ".exe" work the same way. For example, the file name "RUNDLLL32.EXE,SVCHOST.EXE" will create a prefetch per commandline.

3. High probability bypass prefetch

The prefetch dump data is recorded in kernelland and fetched from userland by NtQuerySystemInformation, as shown below. The prefetch dump data fetched by NtQuerySystemInformation is unlinked and deleted. In other words, it is possible to run NtQuerySystemInformation earlier than legitimate svchost.exe to take away data that would have been written as prefetch file.
So what permissions are needed to get prefetch dump data by NtQuerySystemInformation? It is sufficient to have the SeprofileSingleProcessPrivilege privilege. This is owned by the Administrators user and SYSTEM user.(Administrators user has this privilege with inactive status.)

So how many races can this method win?
For the experiment, I created the program that creates three threads that fetch prefetch dump data all the time by NtQuerySystemInformation. 
void getPrefetch() {
    // Code removed due to potential abuse
}

int main()
{
    for (int i = 0; i < 3; i++) {
        CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)getPrefetch, NULL, 0, NULL);
    }
    Sleep(100000000000);
}
A specific program was executed 100 times when this program was running. Then no prefetch file was ever created. Theoretically, this is not 100 percent, but it is a fairly reliable bypass.
Labels:

Comments

Post a Comment

Popular posts from this blog

Node.js Malware created by pkg project

1. Overview JavaScript is one of the most used programming languages, and Node.js is also used widely as execution environment. However, Node.js applications cannot be run without Node.js runime, so using them as malware requires a little effort. For this reason, pkg project that convert NodeJS applications to EXE file or other executable formats can be the attractive tool for attackers. This article describes tips for analyzing Node.js malware created by pkg project. 2. Sample Node Stealer SHA256: d6aee63ffe429ddb9340090bff2127efad340240954364f1c996a8da6b711374 3. pkg project pkg project packs js files and runtime into a single file. This executable file created is structured as follows. The custom runtime has the capability to execute js files stored in the virtual file system and downloaded from following repositories. Repositories URL : https://github.com/vercel/pkg-fetch The pkg project adds virtual files and index to the back of the runtime. Furthermore, the ru...
Post a Comment
Read more

Next Pdf Converter PUA

1. Overview This post describes a PUA similar to the sample mentioned in the following article. https://www.c2server.xyz/2023/09/net-in-javascript-fake-pdf-converter.html If you would like to know more about the previous sample, the following articles are excellent. Thanks to the article for following up on the deficiency of my previous post. https://www.themalwareanalyst.com/2023/11/fake-pdf-converter-leading-to-malicious.html https://security5magics.blogspot.com/2023/10/interesting-customloader-observed-in.html 2. Sample This sample can be downloaded from the following URL. https://www.free-pdf-convert[.]com/ The this sample operations are as follows. This sample also uses WebView2 like the previous sample. The single page app works as PDF converter as follows. In other words, this sample does not run WebView2 in hidden mode. How is this single page application implemented? The main implementation of this app can be found at https://pdf.activegn.com/js/app.[xxxx...
Post a Comment
Read more