Saturday, November 5, 2022
HomeHackerHash-Cracker - A Small Util To Brute-Pressure Prefetch Hashes

Hash-Cracker – A Small Util To Brute-Pressure Prefetch Hashes




Motivation

Through the forensic evaluation of a Home windows machine, you could discover the identify of a deleted prefetch file. Whereas its content material might not be recoverable, the filename itself is usually sufficient to search out the complete path of the executable for which the prefetch file was created.

Utilizing the software

The next fields have to be supplied:

Hash perform

There are 3 identified prefetch hash features:

  • SCCA XP
    Utilized in Home windows XP

  • SCCA Vista
    Utilized in Home windows Vista and Home windows 10

  • SCCA 2008
    Utilized in Home windows 7, Home windows 8 and Home windows 8.1

Bodyfile

A bodyfile of the quantity the executable was executed from.

The bodyfile format is just not very restrictive, so there are lots of variations of it – a few of which aren’t supported. Physique information created with fls and MFTECmd ought to work fantastic.

Mount level

The mount level of the bodyfile, as underlined under:

0|C:/Customers/Peter/Desktop ($FILE_NAME)|62694-48-2|d/d-wx-wx-wx|...

How does it work?

The supplied bodyfile is used to get the trail of each folder on the quantity. The software appends the supplied executable identify to every of these paths to create an inventory of doable full paths for the executable. Every doable full path is then hashed utilizing the supplied hash perform. If there is a doable full path for which the end result matches the supplied hash, that path is outputted.

Limitations

The next circumstances aren’t supported:

  • Internet hosting functions, corresponding to svchost.exe and mmc.exe
  • Purposes executed with the /prefetch:# flag
  • Purposes executed from a UNC (community) path

The 29-character restrict

If the executable identify is longer than 29 characters (together with the extension), it will likely be truncated within the prefetch filename. For instance, executing this file:

It is a very lengthy file nameSo this half will probably be truncated.exe

From the C:Temp listing on a Home windows 10 machine, will end result within the creation of this prefetch file:

THIS IS A VERY LONG FILE NAME-D0B882CC.pf

On this case, the executable identify can’t be derived from the prefetch filename, so that you won’t be able to supply it to the software.

License

MIT



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments