Skip to main content

Prefetch Internals note

1. Overview

Prefetch is artifact that exists in Windows. This artifact records program execution files read by that program in 10 seconds. Prefetch is one of the most well-known artifacts, but its recording mechanism is very complex as follows. (This is an simplified version, not the whole thing.)

I reversed the kernel to look for something interesting in the data related to prefetch. However, I could not find any incident response usable data.
Now that I understand the mechanisms involved in prefetch, I leave this blog as a note.
・Same executable but different prefetch conditions
・High probability bypass prefetch

2. Same executable but different prefetch conditions

Generally, prefetch is created for each executable file path. This is handled internally as the following NT kernel path. If the hashes of this path are the same, they are written to the same prefetch.
\Device\HarddiskVolume2\Windows\System32\cmd.exe
However, there are a few exceptions. You will see a lot of svchost.exe prefetch files in the prefetch folder. Some files, such as svchost.exe, prefetch is created per commandline hash, not NT file path hash. Such file name is hard-coded in ntoskrnl.exe as follows.
Simply speaking, dllhost.exe, mmc.exe, rundll32.exe, svchost.exe, and taskhost.exe are the exceptions. Additionally, executables that are substrings of the above string and terminate with ".exe" work the same way. For example, the file name "RUNDLLL32.EXE,SVCHOST.EXE" will create a prefetch per commandline.

3. High probability bypass prefetch

The prefetch dump data is recorded in kernelland and fetched from userland by NtQuerySystemInformation, as shown below. The prefetch dump data fetched by NtQuerySystemInformation is unlinked and deleted. In other words, it is possible to run NtQuerySystemInformation earlier than legitimate svchost.exe to take away data that would have been written as prefetch file.
So what permissions are needed to get prefetch dump data by NtQuerySystemInformation? It is sufficient to have the SeprofileSingleProcessPrivilege privilege. This is owned by the Administrators user and SYSTEM user.(Administrators user has this privilege with inactive status.)

So how many races can this method win?
For the experiment, I created the program that creates three threads that fetch prefetch dump data all the time by NtQuerySystemInformation. 
void getPrefetch() {
    // Code removed due to potential abuse
}

int main()
{
    for (int i = 0; i < 3; i++) {
        CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)getPrefetch, NULL, 0, NULL);
    }
    Sleep(100000000000);
}
A specific program was executed 100 times when this program was running. Then no prefetch file was ever created. Theoretically, this is not 100 percent, but it is a fairly reliable bypass.
Labels:

Comments

Post a Comment

Popular posts from this blog

.NET in JavaScript, Fake PDF Converter

1. Overview I found a site that distributes curious PDF converter. The executable file distributed at this site appears to be malicious and have several interesting features. ・ .NET Anti-Analysis ・ Execution of external JavaScript payload with WebView2 ・ .NET object manipulation from JavaScript code This post will mention these techniques. The execution flow of this executable is shown below. 2. .NET Anti-Analysis PdfConverters.exe analyzed in this article was created with .NET Core. .NET Core allows developer to embed runtime and libraries into a single executable file. This executable also contains a number of files, which are extracted at execution time into a folder under %TEMP%\PdfConverters. A good way to know the role of these files is to look at [AppName].deps.json. app.deps.json reveals that main functionality of this executable exists in app.dll. [app.deps.json] ... "app/1.0.0": { "dependencies": { "Microsoft.
Post a Comment
Read more

CommandLine rewriting and Reflective loading

1. Overview This article describes the following topics. ・Commandline rewriting technique ・Applying new command line to reflective loaded PE file's context My goal was to develop loader that load PE file from URL and launch PE file in memory with new commandline context. This is stealth since it leaves no final payload on filesystem. Since this is a topic that has been described exhaustively, this post does not describe downloading PE file and reflective load. This article does not show the full code to prevent abuse. 2. Commandline rewriting When this loader starts, loader's commandline is "loader.exe [c2url] [newcommand]". This loader needs to load the PE file into memory and patch memory so that [newcommand] is handled as the first argument. The commandline is included in RTL_USER_PROCESS_PARAMETERS structure, which is pointed to by ProcessParameters member of PEB structure. PEB is very important structure in the process. I believe it will work
Post a Comment
Read more

ShimCache (AppCompatCache) Internals

1. Overview ShimCache (AppCompatCache) is artifact that exists in Windows SYSTEM registry. This artifact records program execution but not execution time. Nevertheless, it is valuable artifact on Windows Server hosts where prefetch is not recorded by default or Windows hosts where prefetch has been removed. This article describes the following topics. ・Information in ShimCache (Forensics) ・Reverse engineering on ShimCache mechanism (Redteaming) 2. Information in ShimCache Shimcache is recorded under following subkey. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache Shimcache data is binary format and composed of 52 byte header and multiple entries in Windows 10 (ver 2004). The format of the entry is as follows. Field Type Offset Description Signature DWORD 0x00 31 30 74 73 (10ts) CRC32 Hash DWORD 0x04 Entry Size DWORD 0x08 Path Size WORD 0x0C Path field's data length Path WString 0x0E PE file path Modified Time FILETIME NTFS $SI mo
Post a Comment
Read more