Joachim Metz has documented the the prefetch structure very well (in fact, he updated it this month). You can see his documentation here:
One of the things that grabbed my attention recently about the prefetch is that you can find file reference numbers in it. Something that not many tools will show you. Needless to say, I think I have identified two of the unknown fields for the metrics array entries (v23) and want to continue doing more testing. (Offset Table Pictures come from Metz's paper).
If you change Unknown1 (offset
24) to Size of 6 and Unknown 2 (offset
28) to Size of two, the fields reflect accurately a file record number and
file sequence number. That is to say, if starting at offset 24 for a length of
8 bytes, it reflects that of a file reference field.
Not sure why they would be listed as empty values… so maybe
a version thing, I need to look at more files.
Anyways, this example prefetch from the DC3 2009 Challenge seems
to line up. I haven’t tested on others yet though. But I have found
another prefetch where it does not appear to have a volume information entry but there are metric entries. So
it could be helpful to have file references in the metrics and not just in the
file reference array.
The File Reference array is pointed to via the Volume
Information structures:
I hope this information helps.
Here is the prefetch file I am looking at: https://docs.google.com/file/d/0B0hXPgyAlcJ1TVAxcmIzYkwtNGM
Hopefully I will finish my tool soon and get back to the series I am wanting to do.
Matt,
ReplyDeleteInteresting post. Do you know which file(s) the reference numbers refer to?
Thanks.
> I have identified two of the unknown fields for the metrics array entries (v23) and want to continue doing more testing.
ReplyDeleteThe v23 metrics entry 4 bytes values at offset 24 and 28 were merged in version 0.0.7 of the document. If you're referencing the working documents it makes sense to add which version and date of the document you've looked at. And if you look at he v26 metrics entry you can see it was mentioned there.
I'm not surprised that this is also used for v23 though did not have a sample to proof it. So thanks for the CLEANMGR.EXE-FC33795B.pf sample this confirms what I suspected. I'll update the documentation accordingly.
> Not sure why they would be listed as empty values… so maybe a version
> thing, I need to look at more files.
Because they can be set to 0. In the v23 samples I looked at this value is 0 or not set.
> So it could be helpful to have file references in the metrics and not just in
> the file reference array.
The file entries in the metrics arrays refer to the loaded/prefetch resource files (e.g. DLL); those in the file references likely to the directory names in the volume information.
An interesting find.
ReplyDelete